Warning over 'onslaught' of new Windows malware after Bluekeep details were published on GitHub
GitHub Bluekeep explainer significantly lowers the bar for writing malware similar to NotPetya and WannaCry
Organisations have been warned over a likely "onslaught" of new Windows malware after a guide was published on GitHub showing how the NSA BlueKeep vulnerability can be exploited.
The new how-to guide was posted on GitHub by a security researcher, and explains how the flaw can be used to target unpatched Windows-based systems.
The flaw is so dangerous that Microsoft released patches earlier this year for some of its no longer supported operating systems
According to security specialists, the slides represent the most detailed technical documentation available so far in the public domain, and also significantly lower the bar for writing highly destructive exploits, similar to the NotPetya and WannaCry attacks of 2017.
BlueKeep, indexed as CVE-2019-0708, is a wormable flaw that affects older versions of the Windows operating system. It lies in the Remote Desktop Protocol (RDP) service and could be exploited by hackers to propagate malware.
According to Microsoft, this pre-authentication vulnerability doesn't require user interaction to spread from one vulnerable system to another. The flaw is so dangerous that Microsoft released patches earlier this year for some of its no longer supported operating systems, including Windows XP, Windows Vista and Windows Server 2003.
About one million Windows systems were still vulnerable to the BlueKeep RDP security flaw in May, more than two weeks after the release of a security patch by Microsoft.
Last month, a security expert demonstrated a working exploit of the BlueKeep vulnerability, which could enable attackers to take full control of a system in just 22 seconds.
The slides posted on GitHub are written almost entirely in Chinese and precisely explain how one can carry out heap spray exploitation technique to target vulnerable remote desktop service.
"It basically gives a how-to guide for people to make their own RCE," security researcher Marcus Hutchins told Ars Technicia.
"It's a pretty big deal given that now there is almost no bar to stop people publishing exploit code.
"Most of the bar comes from the need to reverse engineer the RDP protocol to find out how to heap spray," Hutchins explained, but now, more people would be able to implement the RDP protocol and exploit the bug.
Some security experts, however, believe that the new details will still require a substantial level of technical skills to develop crash-free bugs to exploit BlueKeep.