Updated August 2019
About 18 months ago, we discussed some great examples of zero-day exploits that were occurring at the time. Stuxnet, which is known as the world’s first cyber weapon, was used to break Iran’s uranium enrichment centrifuges when it was feared they were producing chemical weapons; Sony fell victim to a zero-day attack that, at the time, was the worst corporate cyberattack in history; a zero-day exploit was being sold for $90,000, and of course we can’t forget the data breach that occurred on the Democratic National Committee that was the result of a zero-day exploit.
What’s important to note, however, is like we always tell you with ransomware, zero-day attacks aren’t going anywhere. Before providing updated examples, let’s revisit what a zero-day vulnerability is.
Zero-Day Attacks Defined
Zero-day attacks, also known as zero-day vulnerabilities or zero-day exploits, have various definitions. Some zero-day attacks are on vulnerabilities that have not been patched or made public, while other attacks are those in which a hacker takes advantage of security vulnerabilities on the same day that the vulnerability becomes publicly known. The more threatening zero-day attacks we have seen, however, come from software or hardware vulnerabilities that have been exploited by an attacker with no prior knowledge of the flaw in the general cybersecurity community. This type of zero-day attack causes the most damage as it can go years without being detected and, to make matters worse, no fix or patch is readily available if and when it is discovered.
Recent Zero-Day Exploit - BlueKeep
In May (2019), Microsoft issued two warnings on critical Windows patches that block potential attackers from abusing Remote Desktop Services (RDS) remote code execution vulnerability dubbed BlueKeep. Despite the multiple warnings from Microsoft, many Windows machines are still unpatched and remain vulnerable to the BlueKeep zero-day exploit.
BlueKeep, also known as CVE-2019-0708, is an RDP service included in older versions of the Windows operating system. The vulnerability is described as wormable, meaning it could self-propagate in a similar way to that of EternalBlue that was used in the famous WannaCry ransomware outbreak. Because of the potential damage that BlueKeep could bring about, the NSA, US Department of Homeland Security, Germany’s BSI cyber-security agency, the Australian Cyber Security Center, and the UK’s National Cyber Security Centre have all issued security alerts urging individuals and companies alike to patch older versions of Windows.
Since the vulnerability was discovered, security researchers have been holding their breath in the hope that a hacker doesn’t weaponize BlueKeep. While many cybersecurity firms have come up with a fully-working exploit for BlueKeep, they have declined to release proof-of-concept code as they feared it would get abused and spark a WannaCry-like outbreak.
However, on July 23, Immunity Inc. announced it included a fully-working BlueKeep exploit inside CANVAS v7.23. Unfortunately, CANVAS is the firm’s penetration-test toolkit and costs thousands to tens of thousands of dollars.
“The Immunity product, Canvas, has more than 800 exploits. All of them, including BlueKeep, have a patch,” said Chris Day, Chief Cybersecurity Officer and General Manager or Cyxtera. “We happen to be the first commercial company to include this in our product so companies can test to see if their exposed RDP-enabled systems are actually secure against the vulnerability.”
The scary side of this fully-working BlueKeep exploit is that hackers could potentially pirate or legitimately buy the penetration-test toolkit. However, companies and individual users still have time to patch their systems before Immunity’s BlueKeep exploit leaks. BlueKeep is known to affect Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008. Modern Windows 10 versions are not impacted. As of the beginning of July, BitSight found that the number of vulnerable machines was down from one million in May to around 805,000.
What can you do? The first and most important thing to do is ensure that all of your software and hardware programs are up-to-date with the latest updates and patches. Never click on a suspicious link in an email or open an attachment from an individual you don’t know. If it doesn’t look right, chances are it’s not. Be diligent with your cybersecurity training, and don’t let your curiosity get the best of you!
Photo courtesy of Varonis