Despite stark warnings from Microsoft and security researchers, admins don’t seem to be patching BlueKeep any faster. A report from the SANS Institute (via ZDNet) suggests the media storm has had little bearing on the patch rate.
Microsoft warned on November 8 that worse BlueKeep exploits are coming after the first attack, which was a crypto miner, began on November 2. The ‘wormable’ bug lies in Remote Desktop Services in Windows 7, XP, and Server 2003 and 2008.
By using service Shodan.io, SANS was able to analyze the number of systems vulnerable to BlueKeep over time and combine it with the number of systems responding on port 3389. This let researcher Jan Kopriva get a more accurate estimate at the patch rate.
The resulting graph suggests that despite the recent press, the patch rate has remained steady. It’s thankfully on a downward trend, but that’s been the case since for the past couple of months. The number is likely to dip again with Microsoft’s Patch Tuesday release today, but there are still hundreds of thousands of vulnerable systems.
The lack of alarm is likely due to the small impact of the first attack. In many instances, the attack failed and just caused machines to crash, and it wasn’t wormable. However, BlueKeep could lead to far more damaging and successful attacks when more proficient criminals utilize it.
BlueKeep is particularly scary because it can be exploited without leaving obvious traces. As pointed out by security researcher Markus Hutchins, worm attacks may not be the worst of them. As servers have RDP enabled by default, an attacker could compromise it and have it “drop malware to every system on the network”.
That could be anything from crippling ransomware to spyware or crypto miners. At the same time, it would be much harder to detect before deployment. With the high number of vulnerable systems, such an attack could be extremely disruptive.