First BlueKeep Attacks Begin: Check Point Customers Remain Protected

By Adeline Chan, Threat Prevention Product Marketing Manager, published November 11, 2019

After months of warning, the first BlueKeep attacks finally happened.

BlueKeep, a critical vulnerability found in older versions of Microsoft Windows, was discovered in the wild as part of a new hacking campaign. Security researchers detected the campaign via the use of honeypots, a decoy computer system set up to detect a BlueKeep attack.

Looking back at the history of BlueKeep

First reported in May 2019, BlueKeep (CVE-2019-0708) was highlighted as a critical security vulnerability by Microsoft. The vulnerability exists in the Remote Desktop Protocol (RDP) and allows for Remote Code Execution (RCE).  BlueKeep is dangerous because it is wormable. Malware exploiting this vulnerability on a system could propagate to other vulnerable systems similar to the way attackers used the EternalBlue exploit to infect systems with the notorious WannaCry and Petya/NotPetya.

Microsoft deemed BlueKeep so serious that the company took the rare action of issuing patches for unsupported older Windows Operating Systems with this vulnerability. The NSA (U.S. National Security Agency) and the Department of Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) issued a cybersecurity advisory and warning respectively to Windows users on the danger of the BlueKeep vulnerability, urging them to patch their system with this vulnerability.

Check Point first to protect against BlueKeep exploits

Check Point, recognizing the criticality of this vulnerability issued both IPS and Endpoint protections immediately following the announcement in May. SandBlast Agent, Check Point’s endpoint solution, was the first product to protect against this vulnerability in May. For four months, Check Point was the only endpoint vendor to protect against this vulnerability.

BlueKeep is weaponized

When Microsoft announced BlueKeep in May, it was only a theoretical threat, as there was no working exploit code. Since then, we have seen the notorious BlueKeep vulnerability escalate from a critical vulnerability to an immediate, critical threat when the open source Metasploit framework released a Bluekeep exploit module on September 6. The Metasploit framework is a penetration testing platform that is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code, hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. This was also observed by Microsoft’s security team through the increase in RDP service crashes that started on September 6, 2019.

First BlueKeep attacks

The first BlueKeep attacks used BlueKeep to deliver cryptominers to vulnerable systems. Crytominers typically leech a victim’s processing power to generate cryptocurrency. These first BlueKeep attacks have no worm capabilities, and are unlikely to result in an epidemic. However, Microsoft’s security team believes that more destructive attacks are on the horizon as attackers refine their code. BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners. Once an exploit for a vulnerability like BlueKeep exists in the wild, the problem never really goes away.

Check Point customers remain protected

It is estimated that three quarters of a million systems worldwide have yet to be patched and thus remain vulnerable to BlueKeep exploits. It is critical that organizations protect themselves – and others – by patching the flaw now, before it is too late.  For the third time this year, Microsoft urged users to apply patches. In addition, companies should also thoroughly inspect systems that might already be infected or compromised because BlueKeep can be exploited without leaving obvious traces.

In addition to the relevant Microsoft patches, Check Point provides both network and endpoint protections to this attack. Check Point customers who have implemented these protections remain protected. Check Point’s BlueKeep protections for network and endpoint are based on the IPS and endpoint security products. These products are designed to protect organizations against the BlueKeep vulnerability and new weaponized versions of this attack. Check Point’s advanced endpoint security solution, SandBlast Agent, detects BlueKeep-based scans and attacks if the machine is patched and alert on it. Watch a video demo of how the weaponized Bluekeep code works and how it is blocked by SandBlast Agent.