Why Microsoft’s BlueKeep Bug Hasn’t Wreaked Havoc—Yet


When news appeared in May of the security vulnerability in Windows that would come to be known as BlueKeep, security researchers almost immediately cautioned that the flaw looked like the central ingredient for a destructive worm sure to rampage through the internet. Microsoft issued a series of stark warnings to patch the flaw, which persisted in roughly a million computers. Even the NSA took the rare step of noting the bug's severity.

But fully two months later, the dreaded BlueKeep doomsday has yet to materialize. In fact, its apparent absence has made clear that in an age of hardened operating systems with built-in protections against easy exploitation, the mere existence of a known flaw in software no longer means an immediate open season for hackers. State-sponsored groups may already be using it for quiet intrusions, but low-skilled criminals have yet to use it for wide-scale calamity. But that doesn't mean that a larger wave of BlueKeep exploitation isn't in store if—or when—the secret details of exploiting the Windows vulnerability leak out to a wider audience.

"I would bet money that it's already being exploited quietly," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who has privately coded a working BlueKeep exploitation proof-of-concept. Like others who have tested the bug, Hutchins hasn't released his code for fear of enabling malicious use.

If the timeline of BlueKeep's exploitation follows three stages—white hat hacker testing, sophisticated targeted attacks, and then a wider free-for-all, "we're on stage two," Hutchins says. "To get to a worm right now, there would need to be someone with the skills to write an exploit and the motive to make a worm—until some asshole makes a proof-of-concept public, and then all the people who don’t know any better will make it into a worm."

Do the Worm

On Wednesday, security firm BitSight released the results of a new round of scanning for the BlueKeep flaw, which affects unpatched Windows machines running Windows 7 or earlier. The company found that about 800,000 computers remain vulnerable to the attack—a significant drop from the nearly one million unpatched machines BitSight counted in late May, but still enough to cause mayhem if a worm were unleashed. Security researcher Rob Graham, the founder of Errata Security, found 730,000 unpatched machines in his own scans, down from his May count of just over 920,000. (You can download the patch here.)

"You don't want to be the country that triggered WannaCry 2.0."

Jake Williams, Rendition Infosec

According to BitSight's analysis of the IP addresses of those vulnerable computers, individual PCs connected to the internet via consumer ISPs remain the most vulnerable, with more than 30 percent unpatched. But in other industries like education, government, utilities and tech firms comprise close to five percent of exposed machines. That's likely due to sprawling, uncounted inventories of servers and legacy software that's tough to patch without breaking applications, says BitSight director of security research Dan Dahlberg. And that's just the machines that are visible to the public internet, rather than hidden behind a firewall.

"There have been very few of these situations over the years where a vulnerability has lined itself to be so wormable," Dahlberg says. "It’s still just a function of time until someone with more nefarious end goals might develop something." Microsoft did not respond to an inquiry as to whether it had seen a BlueKeep exploit being used in the wild.

The obvious point comparison is EternalBlue, a hacking tool that was stolen from the NSA by mysterious hackers known as the Shadow Brokers. Publicly leaked in 2017, EternalBlue was integrated into both the WannaCry and NotPetya worms, both of which caused worldwide harm. But thanks to the Shadow Brokers, EternalBlue was readily available to anyone who wanted it. Any hacker who wants to exploit BlueKeep has to build their hacking tool from scratch. That requires reverse engineering information about the vulnerability from Microsoft's patch for the bug, which affects a Windows screen-sharing feature known as Remote Desktop Protocol, or RDP. And that task has proven to be beyond the technical skills of the average cybercriminal or watch-the-world-burn internet vandal, says Marcus Hutchins.

"It's a very niche skillset," Hutchins says of the RDP reverse engineering that allowed him to exploit the bug. "Attackers that go around mass-infecting devices aren’t likely to write a BlueKeep exploit."

A Thin Blue Line

The gap between the BlueKeep bug and an actual BlueKeep hacking tool comes down in part to the vulnerability's finicky mechanics. RDP includes a series of "channels" that allow computers to share various information—one channel for visuals, one for audio, another for file-sharing, for instance. But one obscure RDP channel includes a flaw that serves as BlueKeep's initial foothold. The channel is designed to include "pointers" that can summon up commands from code libraries on the machine a user is connected to. But a hacker can swap them out for pointers of their own, so that they instead run malicious code the hacker has planted in the computer's memory—also by loading it via that RDP channel—thus executing their own commands on a victim machine.

Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

The catch, however, is that a security protection in Windows known as address space layout randomization, or ASLR, randomizes the location of code in memory. Even when the hacker has injected their malicious commands, they can't be sure where to "point" in memory to find them. Hackers might try a technique called "heap spraying," in which they copy the code into memory as many times as possible in hopes of increasing the likelihood their "pointer" will hit, but the result remains an unreliable exploit that will likely crash the computer rather than take control of it.

Bypassing that ASLR hurdle requires another trick, Hutchins says, one that he declined to share on the record. "There's a much more surgical method that results in a much higher likelihood of successful exploitation," he says. And that trick may be the last real barrier holding back a flood of BlueKeep attacks.

Meanwhile, there's little reason to think that stealthy, sophisticated hackers aren't already exploiting BlueKeep in secret, says Jake Williams, a former NSA hacker and founder of the firm Rendition Infosec. "Every nation state with a serious CNE program doubtless has developed their own working exploit," says Williams, using the industry acronym CNE for "computer network exploitation." While he's seen no evidence of that in the wild, Williams points out that the bug can be exploited via an encrypted connection, making it potentially difficult to detect.

Sophisticated state-sponsored hackers may also be exploiting BlueKeep in just a small number cases, in an attempt to avoid losing control of their hacking tool. "Deploying it in the wild is surely seen as risky. You don't want to be the country that triggered WannaCry 2.0," Williams says. But that likely hasn't prevented highly targeted and stealthy attacks, he says, perhaps used within breached networks to move between computers rather than to gain an initial beachhead. "On an individual basis, I think they're absolutely using it. I believe it’s happening in very small, limited batches, not in some unrestricted manner."

Of course, the most likely way that a powerful BlueKeep hacking tool will leak out to the public remains that a security researcher or white hat hacker lets it slip onto the internet, where it can be repurposed by all manner of malicious actors—a line that could still be crossed at any time. "The restraint in the security research community has been intense. Many people have reliable exploits, but nobody wants to be 'that guy' by releasing it," Williams says. "Sooner or later, that will change."

More Great WIRED Stories