Metasploit team releases BlueKeep exploit

Metasploit BlueKeep module can achieve code execution, is easy to use.

bluekeep-researchers-show-how-dangerous-5d1ca6aa2f64e300c2bf415b-1-jul-09-2019-12-05-08-poster.jpg

The developers of the Metasploit penetration testing framework have released today a weaponized exploit for the BlueKeep Windows vulnerability.

While other security researchers have released defanged BlueKeep proof-of-concept code in the past, this exploit is advanced enough to achieve code execution on remote systems, infosec experts who reviewed the Metasploit module have told ZDNet.

What is BlueKeep?

BlueKeep, also known as CVE-2019-0708, is a vulnerability in the Remote Desktop Protocol (RDP) service in older versions of the Windows operating system (Windows XP, Windows 2003, Windows 7, Windows Server 2008, and Windows Server 2008 R2).

Microsoft patched BlueKeep in the May 2019 Patch Tuesday security fixes released on May 14, and warned users to apply the patches as soon as possible.

At the time, to spur users into patching faster, the OS maker described BlueKeep as a "wormable" vulnerability that can self-propagate in a similar manner similar to how the EternalBlue exploit helped the WannaCry ransomware propagate to millions of computers in 2017.

Since it was made public, the cyber-security community has been holding its collective breath for the release of a first weaponized BlueKeep exploit, fearing it may be abused in the same manner and help power a global malware outbreak.

Microsoft has repeatedly told users to apply patches, and even the US National Security Agency (NSA), the US Department of Homeland Security, Germany's BSI cyber-security agency, the Australian Cyber Security Centre, and the UK's National Cyber Security Centre have issued security alerts urging users and companies to patch older versions of Windows.

Various cyber-security firms and security researchers have developed BlueKeep exploits, but all declined to release the code, fearing its consequences.

In July, the infosec community got a first scare when a cyber-security company named Immunity Inc. started selling a private BlueKeep exploit; however, the exploit remained private and never leaked.

The new BlueKeep Metasploit module

But today, Rapid7, the cyber-security firm behind the open-source Metasploit framework, published a BlueKeep exploit as a Metasploit module, available to everyone.

Unlike the tens of BlueKeep proof-of-concept exploits that have been uploaded on GitHub over the past months, this module can achieve code execution.

However, the Metasploit module has been somewhat defanged. Currently it only works in a "manual" mode, meaning it needs user interaction to execute correctly.

Metasploit operators must feed it a parameter with information about the system they want to target. This means the exploit can't be used in an automated manner as a self-spreading worm, but will work for targeted attacks.

For example, a hacker group who gained access to a corporate network can deploy it on a system-by-system basis, and eventually hack into all nearby workstations one by one, if it has enough time at its disposal.

Furthermore, the BlueKeep Metasploit module also only works against 64-bit versions of Windows 7 and Windows 2008 R2, but not the other Windows versions that were also vulnerable to BlueKeep. This small fact also narrows down its possible use for criminal endeavors, although, it does not rule it out.

700,000 systems still vulnerable

Altough a module was released today, security experts don't expect to see malware campaigns or hacks leveraging right away.

Just like with everything else, there is usually a learning curve even with hackers, as they get used to a tool.

Nonethless, by the time black-hats get used to the module, there will still be plenty of vulnerable systems around. This is because despite having had nearly four months to patch the BlueKeep vulnerability, most users and companies failed to apply Microsoft's patches.

According to a BinaryEdge scan, there are still 700,000 systems vulnerable to BlueKeep exposed on the internet, and possibly millions more inside firewalled networks.

bluekeep-be-stats.png