“It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability.” So wrote the normally circumspect NSA in their advisory on the so-called BlueKeep vulnerability. Really? Only a matter of time? Hmm, it seems like the NSA knows something they’re not telling us about. Other cybersecurity professionals tend to agree. If this is true, they must have information on either some hacking group they have been monitoring or some nefarious nation-state operatives.
But wait a minute. This vulnerability only affects older Window systems,
so why should we worry about it? Unfortunately, the sad fact is that many large networks still use older systems for the simple reason that upgrading them is too time-consuming and too expensive. Many state and local governments, for example, continue to use outdated systems. This carelessness has recently led to a number of municipalities being hit with ransomware attacks. In fact, the advisory makes the following observation. “NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
This all remained at the theoretical stage until June 5th when Rob Graham posted an exploit that used this vulnerability. This looked bad, but, although millions of computers are considered vulnerable, how many of these belong to large enterprises? This question was explored by another researcher who focused on Fortune 500 companies. He found that only 71 were vulnerable and, in his opinion, this showed that large corporations were serious about maintaining good cybersecurity.
Here is a graph of the results.
So this is good news, right? Well, not exactly. These may be vulnerable endpoints on a network that is mostly protected, but, since BlueKeep is a ‘wormable’ vulnerability, it could spread even to those computers on a network that had protection in place. As Microsoft reported in its advisory, “it only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” (To learn how to completely secure endpoints, see this post.)
It’s not the worm itself that is the problem, it’s the payload it carries. It is possible that this exploit has already wormed its way through a major network and is just waiting for the right time to deliver the payload, whether that is a RAT, ransomware, or a DDoS attack. Researchers warn that such an attack could attain disruption levels not seen since the WannaCry attack in 2017.
This might be a good time to look at what WannaCry did. In the cybersecurity community, it was a major event. Almost exactly 2 years ago, North Korean operatives using an exploit stolen from the NSA, launched a worldwide attack that targeted outdated Microsoft Windows operating systems. The attackers installed backdoors on approximately 200,000 computers in 3 days causing billions of dollars in damage. The spread of the malware was stopped when a researcher accidentally discovered a kill switch in the malware code.
Countries Affected by the Initial WannaCry Attack
The ransomware seemed to target big businesses, government organizations, hospitals, and universities. All of these targets are typical of ransomware attacks.
The malware operators fought a global cyber battle with cybersecurity researchers for control of the malware. The operators tried to vary the code to bypass the use of the kill switch but ultimately failed. Nonetheless, in the short time it remained effective, WannaCry shut down production at several companies and severely interfered with health services. But it could have been worse. It could have caused major collapses in the infrastructure.
In fact, WannaCry never really went away. A variant of it resurfaced in an under-reported attack on Taiwan Semiconductor Manufacturing Company last September. (for the implications of this particular attack, see my post). This attack spread to 10,000 machines and shut down several factories. TSMC brushed the attack off as a byproduct of a bad upgrade.
The parallels between WannaCry and a potential exploit of the BlueKeep vulnerability are eerily similar. In fact, BlueKeep may be even more similar to the NotPetya ransomware which was reportedly the most devastating cyber attack in history, causing over $10 billion in damages and threatening vital infrastructure. Actually, the proof-of-concept attack designed by Rob Graham looks almost identical to the NotPetya attack except for the vulnerability that it exploits.
So is the NSA warning justified? It seems that it is. If it is being positioned for an attack, that attack will occur in July or August of this year. That’s the usual time it will take to make the initial deployment before delivering the payload. I predict the attack will be a ransomware attack and will likely be tied to a nefarious nation-state. It may, incidentally, take out some infrastructural components. If it is deployed by North Korea or Iran, it will be used to make money. If is deployed by Russia, it will be used to disrupt a country’s economy or infrastructure. At this point, it is impossible to say whether the reported U.S. cyber attacks on Russia’s power grid have any connection to the BlueKeep vulnerability. It could very well serve as a preemptive strike or warning.
For the moment, though, all we can do is wait.