Sources networks of recent BlueKeep scans
Image: GreyNoiseThreat actors have started scanning the internet for Windows systems that are vulnerable to the BlueKeep (CVE-2019-0708) vulnerability.
This vulnerability impacts the Remote Desktop Protocol (RDP) service included in older versions of the Windows OS, such as XP, 7, Server 2003, and Server 2008.
Microsoft released fixes for this vulnerability on May 14, as part of the May 2019 Patch Tuesday updates train, and warned users and companies to patch vulnerable systems as soon as possible, classifying the issue as very dangerous, and warning that CVE-2019-0708 could be weaponized to create wormable (self-replicating) exploits.
Many have likened BlueKeep to the EternalBlue exploit that's been used in 2017 during the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
No proof-of-concept demo code (yet)
For this reason, and because of Microsoft's doom-and-gloom warning, for the past two weeks, the infosec community has been keeping an eye out for signs of attacks or the publication of any proof-of-concept demo code that could simplify the creation of RDP exploits -- and inherently start subsequent attacks.
Until now, no one researcher or security firm has published any such demo exploit code -- for obvious reasons, since it could help threat actors start massive attacks.
Nonetheless, several entities have confirmed that they've successfully developed exploits for BlueKeep, which they intend to keep private. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.
The NCC Group developed detection rules for network security equipment so that companies could detect any exploitation attempts, and 0patch developed a micropatch that can temporarily protect systems until they receive the official update.
Further, RiskSense security researcher Sean Dillon also created a tool that companies can use and test to see if their PC fleets have been correctly patched against the BlueKeep flaw.
BlueKeep scans started over the weekend
But while the infosec community was holding its collective breath thinking attacks may never start, things changed over the weekend.
On Saturday, threat intelligence firm GreyNoise started detecting scans for Windows systems vulnerable to BlueKeep.
Speaking to ZDNet, GreyNoise founder Andrew Morris said they believe the attacker was using the Metasploit module detected by RiskSense to scan the internet for BlueKeep vulnerable host.
"This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor," he said in a tweet on Saturday.
For now, these are only scans, and not actual exploitation attempts.
However, it appears that at least one threat actor is investing quite the time and effort into compiling a list of vulnerable devices, most likely in preparation for the actual attacks.
With at least six entities revealing they've come up with private BlueKeep exploits, and with at least two very detailed write-ups on the BlueKeep vulnerability details available online [1, 2], it is only a matter of time until the real bad guys come up with their own exploits as well.
The Tor-originating scans that GreyNoise is currently seeing -- and which Morris told ZDNet that are still ongoing at the time of writing -- are a first sign that things are about to get worse. Really worse!