News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • The Bluekeep exploit has finally arrived

    Posted on GoneToPlaid Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories The Bluekeep exploit has finally arrived

    This topic contains 11 replies, has 6 voices, and was last updated by  OscarCP 1 week, 1 day ago.

    • Author
      Posts
    • #1998092 Reply

      GoneToPlaid
      AskWoody Plus

      See:

      Also see the ZDNet article:

      https://www.zdnet.com/article/bluekeep-attacks-are-happening-but-its-not-a-worm/

       

      • This topic was modified 1 week, 2 days ago by  GoneToPlaid. Reason: added link to zdnet article
      3 users thanked author for this post.
    • #1998095 Reply

      OscarCP
      AskWoody Plus

      From the ZDNet article (link provided by GoneToPlaid): “Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.”

      Several of us commented back then about this very thing: the public release of the “proof of concept” demo that, at least to us, looked like an insanely irresponsible act by the Metasploit “security” experts.

      The fact that this first exploit, that was aimed to turn the attacked PCs into a bunch of cryptocurrency mining drones, has merely caused the PCs to BSOD, because, according to the same article, the attack was conducted by someone who did not know how to use the Metasploit demo malware properly, is not the best reason ever to feel relieved by the fact that nothing worse has happened. For now.

      In the meantime, besides being fully up-to-date patched, which I hope most of us already are, what else should we do right now about this?

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

      • #1998126 Reply

        Kirsty
        Da Boss

        In the meantime, besides being fully up-to-date patched, which I hope most of us already are, what else should we do right now about this?

        From Catalin Cimpanu’s ZDNet article:

        …the hackers appear to search for Windows systems with RDP ports left exposed on the internet, deploy the BlueKeep Metasploit exploit, and later a cryptocurrency miner.

        It impacts only:

        Windows 7
        Windows Server 2008 R2
        Windows Server 2008

        So anyone using those systems should check they are patched, and their RDP ports aren’t exposed.

        • #1998192 Reply

          Alice
          AskWoody Lounger

          So anyone using those systems should check they are patched, and their RDP ports aren’t exposed.

          Microsoft has said that only systems with RDP enabled are vulnerable.

    • #1998105 Reply

      Kirsty
      Da Boss

      BlueKeep (CVE 2019-0708) exploitation spotted in the wild
      November 3, 2019

       
      Conclusion:
      It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized. One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.

      Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.

       
      Read the full article here

      • #1998127 Reply

        OscarCP
        AskWoody Plus

        Kirsty: “Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port ” It is quite reassuring not to see any evidence of widespread attacks. Thanks for this information.

        It does not seem that the malware code used was “weponized”, meaning that something not actually useful as a weapon, only potentially so, was made into one by some crafty criminals. Going by what has transpired so far, what has been used is the very same code released by Metasploit in September as a “proof of concept” to the wide world, so anyone could get a copy and use it at his or her pleasure. Which means that the code has turned out, in the event, to be already useful as a weapon that finally has been used and just in the form it was released from Metasploit. Fortunately, it was not handled very well by the wannabe attacker. Unfortunately, if handled properly and it being already a weapon, anyone who knows how can use it as is to do some real harm. Now I am wondering, thinking about all this, whether the Metasploit people responsible are already having or about to start having a restful time in some cheerful and pleasant County jail looking forward to a fun-filled trial? And if not, why not?

        Also, using the link you placed in your previous posting, I have not found any information on RDP, or any mention of Bluekeep. Maybe you meant to put a different link there?

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1998159 Reply

          Kirsty
          Da Boss

          Also, using the link you placed in your previous posting, I have not found any information on RDP, or any mention of Bluekeep. Maybe you meant to put a different link there?

          I presume you are referring to the link in #1998126?

          That link is to Shields Up!, the port scanner from GRC (Steve Gibson), so those interested can check to see if they have RDP ports exposed. Sorry, I thought that would be helpful…
          Once the “fine print” has been read, clicking on Proceed takes one to the action page.

          • #1998184 Reply

            OscarCP
            AskWoody Plus

            Kirsty,

            Well yes, I was referring to that link. Now, forearmed with the additional information you have so nicely provided, with my Mac (the Win 7 PC is sleeping at the moment) as the computer and Waterfox as the browser, I went in and punched those buttons and got told that my Mac is pretty much invisible to likely attackers and other malcontents and pretty much impenetrable, except that I can get pinged. Now, it’s been quite a while since I used “ping” to see if some server or someone’s machine was up and running and did not know that being pingable was a potential danger. OK, now I know that. So, should I do something about it, or preventing others too ping me would create more problems than it would help prevent? And how does one become unpingable, anyways?

            Tomorrow I’ll try this with my Win 7 PC, see what shape it is in.

            By the way, did you remember to turn back one hour all your clocks and watches?

            As to just how amazingly stealthy my Mac actually is, here is the report I got from GRC (my router also was pronounced pretty stealthy):

            ———————————————————————-

            GRC Port Authority Report created on UTC: 2019-11-03 at 08:20:18

            Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
            119, 135, 139, 143, 389, 443, 445,
            1002, 1024-1030, 1720, 5000

            0 Ports Open
            0 Ports Closed
            26 Ports Stealth
            ———————
            26 Ports Tested

            ALL PORTS tested were found to be: STEALTH.

            TruStealth: FAILED – ALL tested ports were STEALTH,
            – NO unsolicited packets were received,
            – A PING REPLY (ICMP Echo) WAS RECEIVED.

            ———————————————————————-

            Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

            • #1998191 Reply

              Paul T
              AskWoody MVP

              The GRC test is effectively only testing your router – unless you have chosen to open ports through it.

              cheers, Paul

              1 user thanked author for this post.
            • #1998460 Reply

              OscarCP
              AskWoody Plus

              Paul T: “The GRC test is effectively only testing your router

              Let me begin by assuming that these tests are just of the router (the GRC site of the tests does mention “your computer” and “TCP Internet connections”, but it is ambiguous as to what is tested: the router, or the computer itself as well as the router). Then, why should that not be good enough? Virtually all my access to the Internet is through my router. Unless some neighbor is spoofing my WiFi channel between router and laptop, (when — not often — I am using the router’s WiFi, rather than its Ethernet connection) which I very much doubt anyone near enough to me can or will do. I live in a nice apartment building, my neighbors are outstanding people, none of them are experts on informatics, and my laptop very rarely leaves it, so I have never used it in an airport or a Starbucks or connecting it through hot spots. Do these facts rule absolutely any possibility of my being vulnerable to some malignant attacks? Of course not, that would be as realistic as expecting to be invulnerable to Death. But, unless there are reasons to worry that I don’t see here, I would be inclined to think that I am safe enough —  and that would be good enough for me.

              But, whether this belief of mine is correct or not, I still think that the Metasploit people could be much improved by a reasonably long stint in jail, all expenses covered (except for those few others than can be paid using smuggled cigarettes and such).

              Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

            • #1998480 Reply

              anonymous

              Oscar, based on your results you need to look up ‘Ping ICMP flood attacks’
              (DDOS via ICMP echo request/reply)
              Ideally, ALL ports should be stealth on your internet facing router.

            • #1998528 Reply

              OscarCP
              AskWoody Plus

              Thank you, Anonymous. I followed your advice and found out that “Ping ICMP flood attacks” are denial of service attacks, where a certain IP address is targeted for so many pings that they make it no longer possible for the owner of that IP to send or receive any Internet messages at all, by keeping the computer too occupied processing the pings, while also using up all the bandwidth available for communicating. Given that as far as the rest of the world is concerned, black hats included, I am a home user of no importance that is not prone to engaging in flaming email combats or in virulently provocative blogging (or in anything worthy of being called ‘blogging’ at all, other than on professional matters), then my very insignificance should be enough protection against this massive, but temporary, form of attack. Or so I hope.

              Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

              • This reply was modified 1 week, 1 day ago by  OscarCP.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: The Bluekeep exploit has finally arrived

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.