US company selling weaponized BlueKeep exploit

An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially.
Written by Catalin Cimpanu, Contributor

A US cyber-security company is selling a weaponized BlueKeep exploit as part of a penetration testing utility.

BlueKeep, also known as CVE-2019-0708, is a vulnerability in the Remote Desktop Protocol (RDP) service included in older versions of the Windows operating system.

Microsoft released patches for BlueKeep on May 14, and described it as a "wormable" vulnerability that could self-propagate in a similar manner how the EternalBlue helped propagate the WannaCry ransomware outbreak.

The vulnerability was considered incredibly dangerous. Microsoft has repeatedly told users to apply patches, and even the US National Security Agency (NSA), the US Department of Homeland Security, Germany's BSI cyber-security agency, the Australian Cyber Security Centre, and the UK's National Cyber Security Centre have issued security alerts urging users and companies to patch older versions of Windows.

For the last two months, security researchers have been holding their collective breadth that malware authors don't discover a way to weaponize BlueKeep.

Several cyber-security firms have said they've come up with fully-working BlueKeep exploits, yet they declined to release proof-of-concept code because they feared it might get abused and spark another wave of WannaCry-like infections across the globe.

BlueKeep exploit sold part of pen-testing tool

But on Tuesday, July 23, Immunity Inc. announced it included a fully-working BlueKeep exploit inside CANVAS v7.23, the company's pen-testing toolkit.

In the past, there have been several BlueKeep exploits uploaded on GitHub that could crash remote Windows systems if they had an open RDP service exposed online.

Immunity's CANVAS BlueKeep module can achieve remote code execution -- namely open a shell on infected hosts.

While CANVAS licenses cost between thousands and tens of thousands of US dollars, hackers have been known to pirate or legitimately buy penetration testing tools (e.g. Cobalt Strike).

This marks the first time a BlueKeep exploit is accessible, albeit to a limited audience. However, if there's someone who can afford to dish out the money, it's malware operations and intelligence agencies.

"This vulnerability is known and any reasonably competent exploit writer could write an exploit for it based on publicly available information," Chris Day, Cyxtera's Chief Cybersecurity Officer and GM, Threat Management and Analytic, told ZDNet via email. Cyxtera acquired Immunity in June 2018.

"The Immunity product, Canvas, has more than 800 exploits. All of them, including BlueKeep, have a patch," Day added. "We happen to be the first commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability.

"Also, our version is not self-propagating (a worm)."

Immunity released its BlueKeep exploit on the same day cyber-security analysts began sharing and studying the most detailed write-up on the BlueKeep vulnerability known to date.

However, Dave Aitel, Immunity CEO, said their exploit was the result of their own research, and not based on the write-up authored by a Chinese researcher and presented at a security conference in China over the last weekend.

There's still time to patch

Until Immunity's BlueKeep exploit leaks, companies and users still have time to patch their systems.

BlueeKeep is known to affect Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008. Patches are available for all, along with mitigations and workarounds -- see here. Modern Windows 10 versions are not impacted.

At the end of May, security researchers estimated the number of Windows systems that were vulnerable to BlueKeep at around one million systems.

A scan carried out at the start of July by cyber-security firm BitSight found that the number of vulnerable hosts had gone down, but only slightly, to around 805,000.

Laying the groundwork

While malware groups have not gotten their hands on a weaponized BlueKeep exploit, this hasn't stopped them from laying the groundwork.

In late May, a threat actor hidden behind Tor nodes began aggressively scanning the internet for Windows systems vulnerable to the BlueKeep flaw.

Since then, more and more malicious actors have done the same, with the latest to join the fold being the WatchBog botnet this week.

According to Paul Litvak, a security researcher with Intezer Labs, the operators of WatchBog, a botnet of hijacked Linux servers that are involved in stealthy crypto-mining operations, have recently added a BlueKeep scanner to their malware.

Litvak said this "suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit."

The cyber-security community is treating BlueKeep akin to a nuclear doomsday clock, and for a good reason. This is a very dangerous security flaw and companies should patch systems to avoid getting hacked when the clock strikes midnight.

Article updated on July 25, 4:25pm ET with comment from Cyxtera.

HackerOne's top 20 public bug bounty programs

More vulnerability reports:

Editorial standards