Warnings Of World-Wide Worm Attacks Are The Real Deal, New Exploit Shows

For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal.

It was posted Tuesday by Sean Dillon, a senior security researcher and RiskSense. A play-by-play helps to underscore the significance of the feat.

The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the getuid command to prove that the connection has highly privileged System privileges. In the remaining six seconds, the hacker uses the open source Mimikatz application to obtain the cryptographic hashes of passwords belonging to other computers on the same network the hacked machine is connected to.

It’s these last six seconds that underscore the danger posed by the vulnerability, which according to Internet scan results posted eight days ago remains unpatched on almost 1 million computers. The flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. A much more detailed blow-by-blow is here.

Only takes one

Last Friday, members of the Microsoft Security Response Team practically begged organizations that hadn’t patched vulnerable machines to do so without delay, lest another WannaCry scenario play out. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” MSRC members wrote. In a rare move, officials with the National Security Agency on Tuesday echoed Microsoft’s warning. The video posted by Dillon, particularly in the last six seconds, demonstrates that the danger is in no way exaggerated.

"It means all it takes is one unpatched system to lead to an infection of patched systems,” Rob Graham, the Errata Security CEO who conducted the above-linked Internet scan, told Ars. “Big companies often have a single RDP server with hundreds of users logged in. Mimikatz will grab all their passwords, then allow the worm to spread to all those desktops in one fell swoop.”

If the intermingling of Mimikatz and a critical Windows vulnerability to devastating effect sounds familiar, it’s probably because that’s how another paralyzing worm, dubbed NotPetya, managed to wipe out entire networks. According to an analysis from Kaspersky, NotPetya, which is regarded as the most expensive malware attack in history, used the Eternal Blue exploit developed by and later stolen from the NSA to exploit one or more vulnerable machines. NotPetya, Kaspersky said, would then use Mimikatz to extract credentials from the Windows process known as lsass.exe on the compromised machines. NotPetya would then use the credentials to infect fully patched machines through the Windows management instrumentation command or the tool called PsExec.

In the NotPetya analysis, Kaspersky researchers wrote, “IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.”

Clock is ticking

Of course, a big difference between WannaCry and NotPetya two years ago and BlueKeep exploits now is that malicious hackers don’t have the benefit of the devastating leak by the still-unknown group calling itself the Shadow Brokers. A month prior to the WannaCry outbreak, the groupdumped the highly reliable Eternal Bluein a form that could be used by even unskilled hackers. So far, by comparison, the small number of BlueKeep exploits known to exist are closely guarded secrets.

But time is running out. Dillon told Ars that it’s not outside the means of skilled exploit writers to devise a single attack that could work against any vulnerable OS version, which includes Windows XP and 7 and Server 2003 and 2008. The exploit writer wrote:

There are ways to fingerprint the different Windows versions and CPU architectures. It is possible to make a universal exploit that will select the right payloads for a target.

Getting to this point took me many late nights, dozens of hours. There's a bit more information available now, but still a few roadblocks that no one has published. With the benefit of hindsight, it is only moderately difficult to exploit given an adversary has the appropriate background Windows knowledge.

I would say the exploit chain is simpler than the Eternal exploits

This exploit will be one of the best case studies for the simplicity and elegance that can happen in the right conditions for use-after-free vulnerabilities.

There are a host of reasons many vulnerable computers remain unpatched, and some of them are understandable. In many cases, older versions of Windows continue to be used for tasks that are required around the clock.

Unfortunately, these tasks often take place in mission-critical environments such as hospitals, factories, and industrial settings. While patching is by far the most effective way to prevent exploits, there are a variety of workarounds that can be deployed. Chief among them is enabling Network Level Authentication (NLA) for Remote Desktop Services, although this defense is ineffective in the event that attackers have compromised the NLA credentials. It may also be possible to at least partially defeat NLA defenses using a remote desktop protocol weakness disclosed Tuesday.