Windows security: Have BlueKeep fears led to jump in patching? Nope

Reports about BlueKeep attacks dropping a coin miner haven't scared admins into patching faster.

Reverse engineering of BlueKeep patch reveals how dangerous it is Researchers develop a proof-of-concept attack after reverse engineering the Microsoft BlueKeep patch.

Despite recent reports that hackers are using BlueKeep to compromise Windows systems, there's no evidence that it has prompted more admins to patch vulnerable machines. 

That's according to an analysis by researchers at the SANS Institute, who ran an internet scan using the Shodan.io service to find systems that are exposed to the internet and vulnerable to the BlueKeep RDP flaw.

The research aimed to see if recent reports about exploitation had any noticeable effect on how many systems were vulnerable over time. Apparently, not much. 

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Jan Kopriva details his method for assessing the rate of BlueKeep patching on the SAN Institute's blog. On a positive note, it appears that vulnerable systems have been steadily patched ever since May, when Microsoft released the patch alongside a warning that it was "wormable", meaning it could be exploited by a worm to quickly infect all unpatched machines on a network. 

"As we may see, the percentage of vulnerable systems seems to be falling more or less steadily for the past couple of months and it appears that media coverage of the recent campaign didn't do much to help it," he wrote.  

But perhaps the failure of these reports to have an impact is not surprising. Researchers detected BlueKeep attacks hitting a honeypot from October 23, but the malware was not a self-propagating worm like WannaCry and only delivered a cryptocurrency miner. The first report of these attacks was on November 2. 

The percentage of vulnerable machines is likely to decline again this week after today's Patch Tuesday release from Microsoft. 

bk-percentage.png

The percentage of vulnerable systems has fallen steadily, apparently unaffected by widespread BlueKeep coverage.  

Image: Jan Kopriva/SANS Institute

However, there are still many machines that are ripe for the picking for an attacker who develops a BlueKeep worm. 

"Since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn't arrive any time soon," Kopriva added

Currently, researchers have found that the BlueKeep hackers were scanning the internet for Windows systems with open RDP ports and using a BlueKeep exploit recently added to the Metasploit penetration testing framework. 

Fortunately, the attacks were also causing machines to crash, which is bad for the attacker. However, the BSOD glitch will be addressed soon in an update to the existing Metasploit BlueKeep exploit.

SEE: Ransomware: Cyber-insurance payouts are adding to the problem, warn security experts

Besides media reports of the attacks, Microsoft last week issued a new alert for users and admins to be aware of BlueKeep attacks with worse payloads than coin miners. 

But a BlueKeep worm might not be the worst threat to come from BlueKeep. UK researcher Marcus Hutchins, who is credited with stopping the WannaCry outbreak, argues that since most devices vulnerable to BlueKeep are servers, a worm might not be necessary to create havoc

If an attacker can compromise a network server, it would be easy to use automated tooling to cause the server to deliver ransomware to every system on the same network, he pointed out.   

More on Microsoft, Windows, and BlueKeep