WannaCry is still fresh in our memory, reminding organizations of how distractive an unpatched vulnerability can be especially if weaponized as a wormable threat that delivers ransomware. BlueKeep has been estimated to have the same disruptive potential as EternalBlue (the exploit responsible for WannaCry) if sporting worm-like behavior, especially since RDP is a commonly used service in organizations, allowing IT and security teams to remotely dial into machines.
First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as Windows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions. On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.
Malware developers often invest time and energy in developing threats that can generate significant return on investment. Consequently, ransomware and cryptocurrency miners have been known to generate substantial revenue for threat actors, especially when used in conjunction with wormable vulnerabilities or even brute-forcing attacks on RDP credentials.
BlueKeep doesn’t stray from this pattern, as it has recently been found spreading a cryptojacking payload. While profitable, especially when amassing a large number of devices into the mining pool, it’s safe to assume that since BlueKeep affects systems that may be running on hardware that’s limited in terms of computing power, cybercriminals might not be making money as fast or as much as expected.
Coupling BlueKeep with a ransomware payload is far more appealing from a financial perspective. The security industry feared this scenario and it was only a matter of time until reports of Bluekeep dropping a ransomware payload became a reality.
While the number of vulnerable targets vulnerable to BlueKeep may be limited when compared at the global number of endpoints, ransomware is sufficiently disruptive and difficult to recover from, especially if packing a wormable component. Ransomware also has an added benefit: the ransom note can be customized based on the victim’s profile.
Both cryptojackers are ransomware are different edges to the same sword, in the sense that that they’re both focused on profit, except they have a different way of going about it.
For organizations with highly virtualized infrastructures that run vulnerable machines, it’s also recommended they deploy hypervisor introspection technologies, capable detecting and protecting against BlueKeep, but also against known or unknown vulnerabilities.
Ultimately, in light of the ever-increasing number and sophistication of attacks, as well as the increasing attack surface present in their infrastructure, organizations that need to increase their security posture should adopt a layered security approach, capable of preventing, detecting, and blocking threats during various stage of attack. Having the right security and visibility tools, can help organizations across all verticals minimize the risk of a potential data breach while expediting the recovery process and ensuring business continuity.
Bitdefender was able to proactively halt BlueKeep even during its zero-day phase, using our hypervisor introspection technology. We publicly announced this in September, after anticipating the potential high risk posed by the vulnerability. Today, GravityZone™, Bitdefender’s end-to-end breach avoidance platform effectively helps organizations defend themselves against BlueKeep-enabled attacks, such as ransomware or cryptojacking.
Our unified hardening, prevention and detection security platform breaks the attack chain at multiple stages. The recent Network Attack Defense technology detects and helps block the exploit for GravityZone customers, while our patch management solution helps ensure our customer apply the latest Microsoft patches to protect against BlueKeep. Bitdefender’s multiple pre-execution and on-execution layers (e.g. machine-learning anti-malware, Process Inspector, HyperDetect) will also halt ransomware, cryptojacking or other threats delivered through BlueKeep, well before they can execute or affect business operations.
Want to learn more and get a custom quote? Please reach out to us.
Ref: Bitdefender Business Insights | Wikipedia