Bluekeep - what's coming?

Bluekeep has now been announced for a few weeks and even though, no RCE (remote code execution) has been found in the wild 890544 IP addresses are still exposing a vulnerable version of the service...

Transforming this vulnerability from a simple check (like the scripts that are currently available such as the one in Metasploit or rdpscan) to a remote code execution is a tricky thing. The reason for that is because the hard part is understanding how to use a technique known as heap spray to get to remote code execution.

Heap spray is a technique that attempts to put a certain set of bytes at a pre-determined location in memory of a certain process by having said process allocate large blocks of heap and filling the bytes on those blocks with the needed bytes.

And up until 24 hours ago, this was the trickiest part about converting bluekeep from a check to RCE.

So what changed?

Yesterday, on Github someone posted a slide deck from a conference where it was clearly explained how to go from a typical PoC to RCE.

BlueKeep Warning: someone published a slide deck explaining how to turn the crash PoC into RCE. I expect we'll likely see widespread exploitation soon.https://t.co/MG2IZfy5B5
— MalwareTech (@MalwareTechBlog) July 22, 2019

This accelarates the speed at which a potential RCE might come out.

Over the weekend we had just run a new scan for Bluekeep with a more fine tuned module,we found 890544 machines vulnerable and we have now imported those results into our platform.

To see those results you can use the query:

bluekeep.vulnerable:true

bkeep-stats

On the enterprise side, customers can have the Bluekeep module, which they can use to test large scales of IP addresses across any port for potentially vulnerable RDP.

bkeepmodule

We strongly advise everyone to patch.

Over the last month we have detected a very irregular scan coming from ASN 49505. This ASN belongs to SELECTEL in Russia, and has been looking at multiple ports and looking specifically for RDP. At this point in time they should have a nice inventory of how many RDP's are exposed to the internet even on alternative ports, and as we have confirmed before they do exist quite a bit.

To give you an idea, using our sensor network we have seen a total of 518,752,267 events coming from this ASN just in the last 2 months.

be-asn

To show you the gap between this ASN and the rest of the scans we see for RDP here is what our sensors see that does not come from ASN 49505

be-asn2

The next ASN on top, while still belonging to Russia has only 62,131,421 events.

Anomaly alerts

Our Enterprise clients can also see realtime anomaly alerts on the sensor stream. Some are already showing up for ports extremely similar to the RDP port:

alerts

While SaaS clients can also see these warnings via the #sensor-events channel on our public slack but they are restricted only to "Ultra" level.

To further assist with future exploration of our sensor data, we are now generating sha256 hashes for all payloads, so when one payload of the exploit is confirmed, you can easily just copy the hash and look at other IP addresses that have sent the same payload.

sha-payloads

Update: The Watchbog botnet has apparently been found to be integrating a Bluekeep module.

#Watchbog botnet found to be integrating a #BlueKeep scanner along with newer exploit modules.
Blog upcoming by @ulexec and me. pic.twitter.com/drz4wHVdCu
— polarply (@polarply) July 23, 2019

Update: The Rapid7 Team is now custodian to a module that allows for Remote Code Execution

RE: #BlueKeep @Metasploit. I performed a full knowledge transfer of my notes/code to the MSF core team. The release timeline is out of my hands and up to Rapid7 discretion. I've been too busy to work on it for over a month anyways; fresh eyes and polish. Thanks for understanding. pic.twitter.com/hXvpqbUYam
— zǝɹosum0x0🦉 (@zerosum0x0) July 31, 2019