Newsletter Archives

• BlueKeep now being used in attacks – but the sky isn’t falling

  Posted on November 3, 2019 at 07:25 CST by woody • Comment in the Forums

  Remember BlueKeep – the “wormable” monster infection that was supposed to take over the Windows world?

  Two months ago, I warned that there was a working exploit making the rounds.

  We finally saw a slightly modified version of that Metasploit exploit used in a for-real infection. Except it isn’t nearly as scary as originally projected, doesn’t operate as a worm, and isn’t exactly taking the world by storm.

  Kevin Beaumont found evidence of the infection in some honeypots he set up – but had stopped monitoring.

  huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr

  — Kevin Beaumont (@GossiTheDog) November 2, 2019

  As expected, folks who have either disabled RDP or blocked port 3389 are fine. Still…

  Word to the wise: If you haven’t updated your Win7 or Server 2008/Server 2008R2 machine since May, you better get on the stick.

  See, there’s a reason why you have to update sooner or later.

  Full details from Catalin Cimpanu at ZDNet. Thx GoneToPlaid (who just had a Tesla mode named after him).

  UPDATE:

  Since publishing, all BlueKeep activity that I could see has stopped.

  — Kevin Beaumont (@GossiTheDog) November 4, 2019

  Windows Patches/Security BlueKeep

• Heads up: There’s a working, free (but stunted) BlueKeep exploit making the rounds

  Posted on September 6, 2019 at 13:23 CDT by woody • Comment in the Forums

  Remember BlueKeep? That’s the wormable hole in Windows Remote Desktop. We’ve talked about it a lot since it first came up in May.

  @NetDef just posted a link to Kevin Beaumont’s tweet:

  The first public, free #BlueKeep exploit is out in Metasploit now. https://t.co/smSv8JFddf

  — Kevin Beaumont (@GossiTheDog) September 6, 2019

  If you haven’t patched since May — or if you’re installing manual, security-only patches and somehow skipped May — get off your duff now.

  Details in Computerworld Woody on Windows.

  UPDATE: Kevin says he wouldn’t call it “defanged” — and he has a good point. I probably should’ve called it “unable to reproduce.” But don’t let that keep you from getting patched.

  UPDATE: Good coverage from Catalin Cimpanu at ZDnet.

  ANOTHER UPDATE: The released exploit “only works against 64-bit versions of Windows 7 and Windows 2008 R2, but not the other Windows versions that were also vulnerable to BlueKeep,” per Cimpanu.

  ANOTHER UPDATE: From Kevin

  It’s a real exploit. Win7 64 bit. It only works on Server 2008 R2 if you enable audio redirection (not enabled by default).

  — Kevin Beaumont (@GossiTheDog) September 6, 2019

  Windows Patches/Security BlueKeep

• August updates still dribbling in

  Posted on September 2, 2019 at 01:05 CDT by Tracey Capen • Comment in the Forums

  PATCH WATCH

  By Susan Bradley

  With August rapidly coming to a close, it’s time to review the status of Windows exploits and any lingering patch side effects.

  The Remote Desktop Protocol (RDP) threats — BlueKeep and the follow-on DejaBlues — are still missing in action. To my knowledge, there are no in-the-wild attacks using the original BlueKeep or this month’s BlueKeep II and BlueKeep III.

  Read the full story in AskWoody Plus Newsletter 16.31.0 (2019-09-02).

  Patch Watch AskWoody Plus Newsletter, BlueKeep, Office updates, Remote Desktop, Windows patching

• DejaBlue update: We’re still safe.

  Posted on August 17, 2019 at 10:05 CDT by woody • Comment in the Forums

  Transparency tweet: deleted a tweet about DejaBlue. It looks like people are triggering the vulnerability, but not reaching code execution. Which is good news. I resume my holiday 🎉

  — Kevin Beaumont (@GossiTheDog) August 17, 2019

  Windows Patches/Security BlueKeep, DejaBlue

• The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

  Posted on August 14, 2019 at 14:55 CDT by woody • Comment in the Forums

  I’m hearing a lot of saber rattling, urging folks to install the latest Patch Tuesday patches to guard against the newly-discovered BlueKeep variants. One blog says, “So patch your PCs and spread the word. Millions of users around the world refuse to update their versions of Windows but, in this case, the threat is immediate, viral and very real.”

  Horsepucky.

  Permit me to remind you that BlueKeep itself hasn’t been reliably exploited. The threat is real, but it’s not viral or immediate.

  That said, Kevin Beaumont thinks these new exploits may be able to circumvent Microsoft’s recommended “mitigation”: NLA may not break the infection chain.

  I’ll be keeping a close eye on developments. In the meantime, I still don’t see any pressing reason to install this month’s patches — and I’m seeing more and more reports of bugs.

  We’re still at MS-DEFCON 2.

  Windows Patches/Security August 2019 Black Tuesday, BlueKeep

• The BlueKeep situation gets murkier

  Posted on August 1, 2019 at 06:39 CDT by woody • Comment in the Forums

  There have been rumors for the past two weeks that there’s a working BlueKeep exploit on the darkweb. We’ve been fielding (and blocking) many posts on AskWoody claiming that the BlueKeep exploit is real and living in the ooze.

  Catalin Cimpanu (who, along with Kevin Beaumont, are my guiding lights on the topic) just posted a response to an inquiry from Kirsty:

  Yes, there are posts in some dw forums about BlueKeep exploits, but it's unclear if they're scams or real.

  — Catalin Cimpanu (@campuscodi) August 1, 2019

  This is coming to a head because @zerosum0x0 now claims to have cracked the problem and handed all of his info over to Metasploit. If that’s true, and Metasploit publishes it (by no means a done deal, on either count), it could mean that we’re closer to a real, live BlueKeep worm.

  Windows Patches/Security BlueKeep

• Even though there’s a BlueKeep exploit for sale, it doesn’t work very well – doesn’t propagate, for example

  Posted on July 29, 2019 at 09:37 CDT by woody • Comment in the Forums

  Catalin Cimpanu wrote in ZDNet on Friday that there’s a “weaponized” BlueKeep exploit available if you have the cash.

  (More BlueKeep info here.)

  There are several reasons why I didn’t raise the alarm, among them one comment from the folks selling the “pen test” exploit:

  our version is not self-propagating (a worm)

  It’s ostensibly only used to test your system to see if it’s vulnerable to BlueKeep-style exploits.

  A couple of hours ago, Kevin Beaumont (who invented the name “BlueKeep” and is following it intently) reinforced my reticence:

  For info: still no sign of #BlueKeep CVE-2019-0708 exploitation in wild, from threat intelligence data, telemetry, honeypot and industry info sharing.

  — Kevin Beaumont (@GossiTheDog) July 29, 2019

  Still nothing to worry about. But for heavens sake, if you run a Win7, Vista, XP or related server, and you haven’t installed any patches since May, you need to get patched NOW.

  Windows Patches/Security BlueKeep

• BlueKeep is almost here. If you haven’t installed Win7/XP patches since May, get your systems patched!

  Posted on July 25, 2019 at 11:00 CDT by woody • Comment in the Forums

  A US company selling a weaponized BlueKeep exploit with RCE capabilities as part of a pen-testing tool (named CANVAS)

  Infosec doomsday clock is now 11:59 🙄

  Patch your systems already. According to BitSight, there are still 800k vulnerable hosts online.https://t.co/KPUUn2Saoy pic.twitter.com/O1BrRk7jce

  — Catalin Cimpanu (@campuscodi) July 25, 2019

  Ahh. Yeah, when there’s a reliable and diverse target exploit it will be cryptocurrency and ransomware season. Thankfully Immunity’s one isn’t great.

  — Kevin Beaumont (@GossiTheDog) July 25, 2019

   

  Windows Patches/Security BlueKeep

• BlueKeep exploitation expected soon

  Posted on July 23, 2019 at 02:59 CDT by Kirsty • Comment in the Forums

  Several hours ago, there was a lot of noise on Twitter about a Github explanation on how to “weaponize” BlueKeep, triggering fears it could soon be widely expolited.

  BlueKeep Warning: someone published a slide deck explaining how to turn the crash PoC into RCE. I expect we'll likely see widespread exploitation soon.https://t.co/MG2IZfy5B5

  — MalwareTech (@MalwareTechBlog) July 22, 2019

  Dan Goodin‘s article on ArsTechnica.com is fairly succinct:

  BEWARE OF WORMABLE EXPLOITS —
  Chances of destructive BlueKeep exploit rise with new explainer posted online

   
  We’ll be keeping an eye on Kevin Beaumont’s Twitter feed, to see what he posts about it today.

  Are you protected?

   
  UPDATE:
  Kevin Beaumont is also warning about a more imminent threat from BlueKeep

  I've updated this thread with @0xeb_bp's #BlueKeep exploitation technical document, newly released today – it shows how to reach UAF. The bar for (unreliable) public exploitation POC is lowering significantly. https://t.co/UX1ujWaQik

  — Kevin Beaumont (@GossiTheDog) 23 July 2019

  Security, Windows Patches/Security BlueKeep, wormable

• Kevin Beaumont: Still no sign of BlueKeep in the wild

  Posted on July 18, 2019 at 03:24 CDT by woody • Comment in the Forums

  In case you were wondering, Kevin Beaumont hasn’t yet detected any BlueKeep infections:

  This is still up and running, no sign of blue screens or exploitation. Plenty of RDP bruteforce, as @SophosLabs have discovered too 😀 pic.twitter.com/5hlvfMnQRq

  — Kevin Beaumont (@GossiTheDog) July 17, 2019

  Good news for you and I – and yet another reminder to install the May Win7 (and XP and Vista) patch!

   

  Windows Patches/Security BlueKeep

• Are Bluekeep patches causing BSODs with Server 2008 SP2 and Vista?

  Posted on June 7, 2019 at 17:23 CDT by PKCano • Comment in the Forums

  There are reports that the Monthly Rollups started causing problems with Server 2008 SP2 beginning in April. It seems the same issues have occurred on Windows Vista  with Microsoft’s advice to patch for Bluekeep using Server 2008 SP2 patches.
  According to the same anonymous poster who reported the issues in April with KB4493471:

  I realize this topic is getting old, but Avast just recently took action to address issues that have existed on Server 2008 SP2 since April updates changed the build number to 6003.[…]. They say “the squeaky wheel gets the oil,” and Windows 7 certainly squeaks louder than Server 2008; but Avast finally heard a different squeak in a recent spiceworks thread titled Windows Bluekeep patches causing Win32k.sys 0x0000008E BSOD. Avast has recently posted new Knowledge Base articles with titles such as BSOD/Failure to Boot after Installing Avast Business Antivirus version 18.8 on Windows Server 2008. The same issues occurred on Windows Vista if Microsoft’s advice to patch BlueKeep by installing KB4499180 was taken.

  Are any of you seeing these issues, particulatly among those patching Vista for Bluekeep with the Server 2008 SP2 Rollups?

  Reference: Spiceworks thread and Avast Knowledge Base article.

  Thx, anonymous

  Windows Patches/Security BlueKeep, KB 4493471, KB 4499180, Server 2008 SP1, vista

• Yes, pirate copies of Win XP and Win7 can install the “wormable” BlueKeep security fixes

  Posted on June 1, 2019 at 01:45 CDT by woody • Comment in the Forums

  I’m seeing references to this all over the web, but it looks like pirated copies of Win7 will get the BlueKeep fix through Windows Update, and the XP patch (manually downloaded) will work on pirated XP machines, too.

  All of the articles I’ve seen refer to a statement by Paul Cooke, who used to be Director of Product Marketing for Windows Client at Microsoft. Nowadays, according to his LinkedIn profile, he’s Senior Manager of Identity and Access Management at Providence Health & Services in Renton, but anyway…

  Back in 2009, Cooke, writing on the now-defunct Microsoft Windows Security Blog promised us all:

  There seems to be a myth that Microsoft limits security updates to genuine Windows users.

  Let me be clear: all security updates go to all users.

  I’m not at all comfortable with a promise made by an ex-employee more than a decade ago, but if you’re wondering, that’s the promise everyone’s quoting these days, and that’s where it came from.

  I can find no more-recent corroboration, but I’d welcome anything you can uncover.

  Windows Patches/Security BlueKeep, Pirate Windows
• « Older Entries