The Bluekeep exploit has finally arrived

Topic

New Reply

[GoneToPlaid]

See:

https://twitter.com/GossiTheDog/status/1190731010218037248

Also see the ZDNet article:

https://www.zdnet.com/article/bluekeep-attacks-are-happening-but-its-not-a-worm/

 

• This topic was modified 5 years, 6 months ago by GoneToPlaid. Reason: added link to zdnet article

3 users thanked author for this post.

jburk07, Fred, OscarCP

Reply | Quote

Replies

From the ZDNet article (link provided by GoneToPlaid): “Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.”

Several of us commented back then about this very thing: the public release of the “proof of concept” demo that, at least to us, looked like an insanely irresponsible act by the Metasploit “security” experts.

The fact that this first exploit, that was aimed to turn the attacked PCs into a bunch of cryptocurrency mining drones, has merely caused the PCs to BSOD, because, according to the same article, the attack was conducted by someone who did not know how to use the Metasploit demo malware properly, is not the best reason ever to feel relieved by the fact that nothing worse has happened. For now.

In the meantime, besides being fully up-to-date patched, which I hope most of us already are, what else should we do right now about this?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

In the meantime, besides being fully up-to-date patched, which I hope most of us already are, what else should we do right now about this?

From Catalin Cimpanu’s ZDNet article:

…the hackers appear to search for Windows systems with RDP ports left exposed on the internet, deploy the BlueKeep Metasploit exploit, and later a cryptocurrency miner.

It impacts only:

Windows 7
Windows Server 2008 R2
Windows Server 2008

So anyone using those systems should check they are patched, and their RDP ports aren’t exposed.

Reply | Quote

Kirsty wrote:

So anyone using those systems should check they are patched, and their RDP ports aren’t exposed.

Microsoft has said that only systems with RDP enabled are vulnerable.

Reply | Quote

BlueKeep (CVE 2019-0708) exploitation spotted in the wild
November 3, 2019

 
Conclusion:
It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized. One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.

Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.

 
Read the full article here

Reply | Quote

Kirsty: “Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port ” It is quite reassuring not to see any evidence of widespread attacks. Thanks for this information.

It does not seem that the malware code used was “weponized”, meaning that something not actually useful as a weapon, only potentially so, was made into one by some crafty criminals. Going by what has transpired so far, what has been used is the very same code released by Metasploit in September as a “proof of concept” to the wide world, so anyone could get a copy and use it at his or her pleasure. Which means that the code has turned out, in the event, to be already useful as a weapon that finally has been used and just in the form it was released from Metasploit. Fortunately, it was not handled very well by the wannabe attacker. Unfortunately, if handled properly and it being already a weapon, anyone who knows how can use it as is to do some real harm. Now I am wondering, thinking about all this, whether the Metasploit people responsible are already having or about to start having a restful time in some cheerful and pleasant County jail looking forward to a fun-filled trial? And if not, why not?

Also, using the link you placed in your previous posting, I have not found any information on RDP, or any mention of Bluekeep. Maybe you meant to put a different link there?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Also, using the link you placed in your previous posting, I have not found any information on RDP, or any mention of Bluekeep. Maybe you meant to put a different link there?

I presume you are referring to the link in #1998126?

That link is to Shields Up!, the port scanner from GRC (Steve Gibson), so those interested can check to see if they have RDP ports exposed. Sorry, I thought that would be helpful…
Once the “fine print” has been read, clicking on Proceed takes one to the action page.

Reply | Quote

Kirsty,

Well yes, I was referring to that link. Now, forearmed with the additional information you have so nicely provided, with my Mac (the Win 7 PC is sleeping at the moment) as the computer and Waterfox as the browser, I went in and punched those buttons and got told that my Mac is pretty much invisible to likely attackers and other malcontents and pretty much impenetrable, except that I can get pinged. Now, it’s been quite a while since I used “ping” to see if some server or someone’s machine was up and running and did not know that being pingable was a potential danger. OK, now I know that. So, should I do something about it, or preventing others too ping me would create more problems than it would help prevent? And how does one become unpingable, anyways?

Tomorrow I’ll try this with my Win 7 PC, see what shape it is in.

By the way, did you remember to turn back one hour all your clocks and watches?

As to just how amazingly stealthy my Mac actually is, here is the report I got from GRC (my router also was pronounced pretty stealthy):

———————————————————————-

GRC Port Authority Report created on UTC: 2019-11-03 at 08:20:18

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
———————
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED – ALL tested ports were STEALTH,
– NO unsolicited packets were received,
– A PING REPLY (ICMP Echo) WAS RECEIVED.

———————————————————————-

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The GRC test is effectively only testing your router – unless you have chosen to open ports through it.

cheers, Paul

1 user thanked author for this post.

Microfix

Reply | Quote

Paul T: “The GRC test is effectively only testing your router ”

Let me begin by assuming that these tests are just of the router (the GRC site of the tests does mention “your computer” and “TCP Internet connections”, but it is ambiguous as to what is tested: the router, or the computer itself as well as the router). Then, why should that not be good enough? Virtually all my access to the Internet is through my router. Unless some neighbor is spoofing my WiFi channel between router and laptop, (when — not often — I am using the router’s WiFi, rather than its Ethernet connection) which I very much doubt anyone near enough to me can or will do. I live in a nice apartment building, my neighbors are outstanding people, none of them are experts on informatics, and my laptop very rarely leaves it, so I have never used it in an airport or a Starbucks or connecting it through hot spots. Do these facts rule absolutely any possibility of my being vulnerable to some malignant attacks? Of course not, that would be as realistic as expecting to be invulnerable to Death. But, unless there are reasons to worry that I don’t see here, I would be inclined to think that I am safe enough —  and that would be good enough for me.

But, whether this belief of mine is correct or not, I still think that the Metasploit people could be much improved by a reasonably long stint in jail, all expenses covered (except for those few others than can be paid using smuggled cigarettes and such).

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oscar, based on your results you need to look up ‘Ping ICMP flood attacks’
(DDOS via ICMP echo request/reply)
Ideally, ALL ports should be stealth on your internet facing router.

Reply | Quote

[OscarCP]

Thank you, Anonymous. I followed your advice and found out that “Ping ICMP flood attacks” are denial of service attacks, where a certain IP address is targeted for so many pings that they make it no longer possible for the owner of that IP to send or receive any Internet messages at all, by keeping the computer too occupied processing the pings, while also using up all the bandwidth available for communicating. Given that as far as the rest of the world is concerned, black hats included, I am a home user of no importance that is not prone to engaging in flaming email combats or in virulently provocative blogging (or in anything worthy of being called ‘blogging’ at all, other than on professional matters), then my very insignificance should be enough protection against this massive, but temporary, form of attack. Or so I hope.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 5 years, 6 months ago by OscarCP.

Reply | Quote