A cyber-security company in the United States has announced it is selling a weaponized version of the BlueKeep exploit. The first fully working exploit is being sold by a company called Immunity and is bundled into a penetration testing utility.
Security researchers describe the bug as “wormable”. BlueKeep is a dangerous vulnerability because it can be executed by bad actors remotely. It is located in Remote Desktop Services on older Windows legacy builds such as Windows 7, Windows XP, AND Server 2003 and 2008.
“This [bug] would have the potential of a global WannaCry-level event,” said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday. “What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.”
Since being discovered, security researchers and Microsoft has been concerned an exploit of BlueKeep will result in a new wave of WannaCry attacks. While it has been patched by Microsoft across all Windows versions, the company says many users have yet to update.
In May, Microsoft said over one million Windows machines were affected by the vulnerability (CVE-2019-0708). The company said it was also likely an exploit would be discovered for the flaw:
“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708,” said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC).
Since then, it has been a race to see if all users will patch their machines before bad actors discover an exploit for BlueKeep. While hackers have not done that yet, they will now have access to a working exploit via Immunity. The company has packaged the workaround within its CANVAS v7.23, pen-testing toolkit.
According to Immunity, the exploit can provide remote code execution. However, the CANVAS suite costs between thousands and tens of thousands of dollars. Still hackers could try pirating it or even just paying for a license to gain access to the exploit.
“This vulnerability is known and any reasonably competent exploit writer could write an exploit for it based on publicly available information,” Chris Day, Cyxtera’s Chief Cybersecurity Officer and GM, Threat Management and Analytic, told ZDNet. Cyxtera is the parent company of immunity.
“The Immunity product, Canvas, has more than 800 exploits. All of them, including BlueKeep, have a patch,” Day added. “We happen to be the first commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability.
“Also, our version is not self-propagating (a worm).”