The Australian Signals Directorate (ASD) is warning Windows admins to “immediately” patch the BlueKeep bug after a researcher handed an exploit for it to developers of the Metasploit Project.
The agency is urging Australian organizations to patch now in anticipation of the Metasploit Project including an exploit for BlueKeep becoming available in the popular the open source penetration-testing kit, the Metasploit Framework.
A security researcher who uses the Twitter handle @zerosum0x0 disclosed the exploit to the MetaSploit Project in late July, however the group has said it would keep the code private for now. The project recently released a module for using BlueKeep to create a denial of service attack, but not remote code execution.
“The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems,” ASD’s Australian Cyber Security Centre (ACSC) said in a statement.
The agency said it was aware of malicious activity suggesting widespread abuse of BlueKeep, also identified as CVE-2019-0708, a flaw that can allow a remote attacker to attack systems listening for RDP on the internet and steal an organization’s credentials.
BlueKeep affects Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems, but not Windows 10.
It’s the ASD’s second warning to Australian organizations after a reminder in June that BlueKeep was serious enough a threat for Microsoft to release patches for unsupported Windows, such as Vista and Windows XP. UK and US spy agencies have also raised alarms over the flaw.
ACSC head Rachel Nobel estimated as many as 50,000 devices within Australian organizations could be affected.
Microsoft released the patch for BlueKeep in its May Patch Tuesday update as well as special updates for unsupported systems because Microsoft believes this wormable bug -- meaning it can spread from machine to machine -- has the potential to become a repeat of the WannaCry outbreak in May 2017.
The ACSC’s new warning follows one from Microsoft last Thursday. First and foremost, the company recommends applying the patch but also offers secondary mitigation advice, in particular network level authentication (NLA), which requires users authenticate before connecting to remote systems.
“It’s important to note that the exploit code is now publicly and widely available to everyone, including malicious actors,” Microsoft wrote. "By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.”