For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal.

It was posted Tuesday by Sean Dillon, a senior security researcher and RiskSense. A play-by-play helps to underscore the significance of the feat.

Rough draft MSF module. Still too dangerous to release, lame sorry. Maybe after first mega-worm?

? PATCH #BlueKeep CVE-2019-0708 ?


— zǝɹosum0x0? (@zerosum0x0) June 4, 2019

The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the getuid command to prove that the connection has highly privileged System privileges. In the remaining six seconds, the hacker uses the open source Mimikatz application to obtain the cryptographic hashes of passwords belonging to other computers on the same network the hacked machine is connected to.

Its these last six seconds that underscore the danger posed by the vulnerability, which according to Internet scan results posted eight days ago remains unpatched on almost 1 million computers. The flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. A much more detailed blow-by-blow is here.

Only takes one

Last Friday, members of the Microsoft Security Response Team practically begged organizations that hadnt patched vulnerable machines to do so without delay, lest another WannaCry scenario play out. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” MSRC members wrote. In a rare move, officials with the National Security Agency on Tuesday echoed Microsofts warning. The video posted by Dillon, particularly in the last six seconds, demonstrates that the danger is in no way exaggerated.

"It means all it takes is one unpatched system to lead to an infection of patched systems,” Rob Graham, the Errata Security CEO who conducted the above-linked Internet scan, told Ars. “Big companies often have a single RDP server with hundreds of users logged in. Mimikatz will grab all their passwords, then allow the worm to spread to all those desktops in one fell swoop.”

If the intermingling of Mimikatz and a critical Windows vulnerability to devastating effect sounds familiar, its probably because thats how another paralyzing worm, dubbed NotPetya, managed to wipe out entire networks. According to an analysis from Kaspersky, NotPetya, which is regarded as the most expensive malware attack in history, used the Eternal Blue exploit developed by and later stolen from the NSA to exploit one or more vulnerable machines. NotPetya, Kaspersky said, would then use Mimikatz to extract credentials from the Windows process known as lsass.exe on the compromised machines. NotPetya would then use the credentials to infect fully patched machines through the Windows management instrumentation command or the tool called PsExec.

In the NotPetya analysis, Kaspersky researchers wrote, “IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.”

Clock is ticking

Of course, a big difference between WannaCry and NotPetya two years ago and BlueKeep exploits now is that malicious hackers dont have the benefit of the devastating leak by the still-unknown group calling itself the Shadow Brokers. A month prior to the WannaCry outbreak, the group dumped the highly reliable EternalRead More – Source

[contf] [contfnew]

Ars Technica

[contfnewc] [contfnewc]


Please enter your comment!
Please enter your name here