"Oh no!"
The Microsoft security bulletins for May 2019 included CVE-2019-0708…soon known as BlueKeep. It was a wormable exploit meaning that it could remotely take over a system with no interaction and then continue spreading to other vulnerable systems. It was an exploit in the Remote Desktop Protocol, ubiquitous in business networks. All signs were pointing to this being a repeat of 2017 when WANNACRY and NOTPEYA were unleashed on the world using another wormable exploit.
The NSA and Microsoft both issued statements that nearly 1 million vulnerable devices were on the internet. Countless millions more existed inside organization networks. A pending cyber attack at least as bad as Wannacry which was fresh in everyone's mind.
One critical problem with this theory: Bluekeep attack code was missing. The vulnerability hadn't been found through a leak from a high Influence Energy threat actor. It was found through security researchers looking for vulnerabilities (what is supposed to happen!)
To understand why this matters, take a look at the table of a software exploit lifecycle which includes influence energy required to reach each step.
Step | Process | Influence Energy |
Searching | Analyzing computer code for vulnerabilities | 2 |
Proof of Concept | Finding a particular input sequence that crashes the program | 3 |
Targeted | Refining the input sequence to execute code that you send. | 4 |
Weaponized | Finding input sequences for other versions and/or operating systems | 5 |
Reliable | Testing the code repeatedly to ensure it never crashes the system | 6 |
Each step takes 10x the effort of the previous step and there is no cyber criminal ROI potential until the Targeted stage where it would work against a single target. Weaponized and Reliable make it more broadly useful with potentially higher payoff but wider use means risk of detection and loss of ROI against a patched target.
Bluekeep started in the "searching" step and quickly reached Proof of Concept stage. This stage was not dangerous as a worm as it immediately killed it's victims by crashing them. It took many months (10x time) for researchers to get it to the targeted stage where it could be used in specific circumstances. Of course by this point the Microsoft patch had seen wide deployment so this was an academic exercise. Without strong incentive behind development, Bluekeep never reached Weaponized or Reliable.
Contrast with WANNACRY which came into the public view in the reliable state…not just reliable, but reliable against a common configuration of the world's most common operating system. The exploit behind WANNACRY was EternalBlue, leaked from an intelligence agency who had likely spent between 10 and 100 million dollars to end up with it (Influence Energy 6). This kind of investment was for a nuclear-level cyber weapon never intended for public release. It was likely used for secret operations for many years, carefully shielded from detection lest it be patched and their ROI go to zero.
WannaCry was the driver of some terrible cyber incidents and caused massive impact. Bluekeep was an interesting hacker tool and the source of wild speculation about how terrible it could be and yet no noteworthy attacks were ever found to use it.
When you create action plans for new vulnerabilities and exploits, keep economic incentives in mind. Understanding what state public exploit capabilities are in will let you zero in on the highest risk and ignore the noise.
If you need help picking out WANNACRYs from BlueKeeps, reach out to Security Optimizer Today! I can help scan for, prioritize, and remediate risk appropriate to your organization.