Despite recent reports that hackers are using BlueKeep to compromise Windows systems, there's no evidence that it has prompted more admins to patch vulnerable machines.
That's according to an analysis by researchers at the SANS Institute, who ran an internet scan using the Shodan.io service to find systems that are exposed to the internet and vulnerable to the BlueKeep RDP flaw.
The research aimed to see if recent reports about exploitation had any noticeable effect on how many systems were vulnerable over time. Apparently, not much.
Jan Kopriva details his method for assessing the rate of BlueKeep patching on the SAN Institute's blog. On a positive note, it appears that vulnerable systems have been steadily patched ever since May, when Microsoft released the patch alongside a warning that it was "wormable", meaning it could be exploited by a worm to quickly infect all unpatched machines on a network.
"As we may see, the percentage of vulnerable systems seems to be falling more or less steadily for the past couple of months and it appears that media coverage of the recent campaign didn't do much to help it," he wrote.
But perhaps the failure of these reports to have an impact is not surprising. Researchers detected BlueKeep attacks hitting a honeypot from October 23, but the malware was not a self-propagating worm like WannaCry and only delivered a cryptocurrency miner. The first report of these attacks was on November 2.
The percentage of vulnerable machines is likely to decline again this week after today's Patch Tuesday release from Microsoft.
However, there are still many machines that are ripe for the picking for an attacker who develops a BlueKeep worm.
"Since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn't arrive any time soon," Kopriva added.
Currently, researchers have found that the BlueKeep hackers were scanning the internet for Windows systems with open RDP ports and using a BlueKeep exploit recently added to the Metasploit penetration testing framework.
Fortunately, the attacks were also causing machines to crash, which is bad for the attacker. However, the BSOD glitch will be addressed soon in an update to the existing Metasploit BlueKeep exploit.
Besides media reports of the attacks, Microsoft last week issued a new alert for users and admins to be aware of BlueKeep attacks with worse payloads than coin miners.
But a BlueKeep worm might not be the worst threat to come from BlueKeep. UK researcher Marcus Hutchins, who is credited with stopping the WannaCry outbreak, argues that since most devices vulnerable to BlueKeep are servers, a worm might not be necessary to create havoc.
If an attacker can compromise a network server, it would be easy to use automated tooling to cause the server to deliver ransomware to every system on the same network, he pointed out.
More on Microsoft, Windows, and BlueKeep
- BlueKeep exploit to get a fix for its BSOD problem
- BlueKeep attacks are happening, but it's not a worm
- To patch Windows or not: Do you want BlueKeep bug or broken Visual Basic apps?
- Microsoft warns users to stay alert for more BlueKeep attacks
- Metasploit team releases BlueKeep exploit
- US company selling weaponized BlueKeep exploit
- Homeland Security: We've tested Windows BlueKeep attack and it works so patch now
- BlueKeep: Researchers show how dangerous this Windows exploit could really be
- A single actor is scanning Windows systems vulnerable to the BlueKeep flaw
- Intense scanning activity detected for BlueKeep RDP flaw
- Microsoft issues second warning about patching BlueKeep as PoC code goes public
- Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708)
- Almost one million Windows systems vulnerable to BlueKeep (CVE-2019-0708)
- How WannaCry is still launching 3,500 successful attacks per hour TechRepublic