Endpoint Security , Governance & Risk Management , IT Risk Management

Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep

Security Firm Latest to Sound the Alarm About Windows Vulnerability
Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep

Sophos is the latest security firm to create a proof-of-concept exploit for the so-called BlueKeep vulnerability in older versions of Microsoft Windows. The company echoed several government agencies that have urged businesses to patch their devices.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

So far, however, a full-functioning exploit has not been spotted in the wild, although attackers may be trying or developing their own code, Andrew Brandt, principal researcher for Sophos, tells Information Security Media Group.

"The bigger point is that if we and others can create functional [proof-of-concepts], serious threat actors could very well have developed their own by now, too," Brandt says. "We have no idea if a criminal group or nation-state attacker is any closer to a weaponized version of this, but we believe the day is fast approaching when someone will, inevitably, develop and use this."

System Takeover Demo

While some other conceptual exploits show a distributed-denial-of-service attack that crashes a Windows device, the Sophos offensive research team’s exploit demonstration professes to show a full system takeover with administrative and system-level privileges that can be completed in less than two minutes.

As with other proof-of-concept exploits, the Sophos team is not publishing the full code it developed, but the company did provide a video along with a blog released Monday that shows the exploit in action and the eventual takeover of the device.

The Sophos teams says it hopes its demonstration will lead more companies to patch devices running older versions of Windows. Some researchers claim that nearly 1 million of devices are vulnerable to BlueKeep (see: Microsoft Sounds Second Alarm Over BlueKeep Vulnerability).

"Sophos has been concerned at published news reports that highlight the lack of urgency that some organizations are taking with this update," Brandt says. "When the operating system maker, the government agencies tasked with tracking security incidents, and a large number of security companies are all telling everyone to update, we hope that admins and everyday users at home will start to take this seriously before a wormable malware appears and causes a lot of damage."

Tracking BlueKeep

Since May 14, Microsoft has issued a security patch plus two warnings concerning BlueKeep, a vulnerability in the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems.

Versions of Windows vulnerable to this flaw are Windows XP, Windows 7, Windows 2000, Windows 2003 and Windows Server 2008. Newer versions, including Windows 8 and Windows 10 are not affected, according to Microsoft.

In addition to warnings from Microsoft and security firms such as Sophos, the U.S. National Security Agency and the Department of Homeland Security have each issued their own alerts about BlueKeep, which is also known as CVE-2019-0708 (see: DHS Is Latest to Warn of BlueKeep Vulnerability).

The main concern about BlueKeep is that because the vulnerability does not require user interaction, an exploit using remote code execution could spread malware from one vulnerable device to another within a network in the same way that the WannaCry ransomware was "wormable."

In addition to Sophos, Zerodium, McAfee, Kaspersky, Check Point, MalwareTech and Valthek have reportedly developed conceptual exploits for BlueKeep but are keeping that code private.

Developing the Exploit

To demonstrate a BlueKeep exploit, SophoLabs' offensive research team spent weeks reverse-engineering the patch Microsoft issued for BlueKeep, according to Monday's blog post.

If hypothetical attackers were to use the code that Sophos developed, they would be able to launch a command shell that appears prior to login on the Windows login screen, according to the blog. In the video, the Sophos team replaces an executable called utilman.exe, which is part of Windows, with another trusted component that is the command shell - or cmd.exe.

In Windows, utilman.exe can launch several features in the operating system and has system-level privileges, according to Sophos. By replacing it with the command shell, another user can gain those same privileges. Because this particular attack is fileless, no malware is needed, and simply connecting over the vulnerable Remote Desktop Protocol is enough, the blog notes.

"With very little effort, a malicious threat actor could fully automate the whole attack chain, including synthetically 'typing' commands into the shell, or simply passing commands to the shell," according to the Sophos blog. "That would be extremely bad, as it would allow rapid-fire attacks targeting any system hosting RDP to the outside world. It wouldn't necessarily succeed in the case of the patched devices, but an attack like this falls into the category of 'spray and pray' - the attackers are not choosy about who they target, and some percentage of machines will be vulnerable."

Brandt and other researchers say that if threat actors develop similar exploits, they will be able to speed up an attack faster than what Sophos has been able to demonstrate with its proof-of-concept.

"In our proof-of-concept, it takes a bit of time for the exploit to do its work, and right now that might constitute a limitation, but with additional work it should be possible to speed this up significantly," Brandt says.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.