BlueKeep, a critical remote code execution flaw, has been spotted by security researchers for the first time in the wild to launch a mass hacking operation.
The BlueKeep flaw exploitation was predicted by security researcher Kevin Beaumont recently when his multiple EternalPot RDP honeypot systems, a decoy computer system for detecting BlueKeep attacks, got crashed.
In May this year, Microsoft discovered the Bluekeep vulnerability in older versions of Microsoft’s Remote Desktop Protocol (RDP). If exploited, the flaw allows unauthorized access to computers running Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008.
According to Microsoft, BlueKeep (tracked as CVE-2019-0708) is a wormable vulnerability which is self-spreading and can be weaponized by potential malware to spread from one vulnerable computer to another automatically. It said that in order to exploit the vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights,” Microsoft said in a statement.
The BlueKeep flaw has been considered as a serious threat since its discovery. Microsoft, and even government agencies like the National Security Agency (NSA), urged Windows users to apply security patches. It’s said that nearly 1 million systems were found vulnerable even a month after patches were released.
“Although Microsoft has issued a patch, potentially millions of machines are still vulnerable. This is the type of vulnerability that malicious cyber actors frequently exploit using software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems,” NSA said in a statement.