, 13 tweets, 2 min read
My Authors
Read all threads
When the news broke about BlueKeep exploitation in the wild, most of the reactions were basically "it's not a worm, so it doesn't matter". I decided I'd do a thread on why that's wrong, and why a worm isn't even a worst case scenario.

THREAD:
There are 2 main purposes of a worm (self propagation).
1) dealing with cases when there are too many vulnerable systems to reliably infect with just scanning alone.
2) dealing with a large disparity between the number of external and internal facing vulnerable systems.
the WannaCry worm served both of these purposes. Firstly, there were too many vulnerable system to infect with just a scanning servers. Secondly, if a network had SMB exposed, then the chances that every single device on that network was vulnerable were very high.
BlueKeep is different. Not only is the number of externally facing vulnerable machines low enough to infect with a couple servers. But also, RDP is only enabled by default on Windows Server operating systems.
Because Windows clients don't expose RDP by default, unlike SMB, a BlueKeep worm wouldn't be able to pivot to systems within a network like WannaCry did. Furthermore, I'd guess it's fairly likely that if one of the network's RDP servers is exposed to the internet, the all are.
For all these reasons, a BlueKeep worm would not be hugely effective and not at all like WannaCry. They might infect marginally (not exponentially) more systems, but the downsides are huge.
A worm would not only attract a lot of attention, but be technically challenging due to the limitations of BlueKeep. The exploit is both unstable and non-generic (the attacker would need to somehow fingerprint the OS and exploit accordingly).
Building a worm in a way that doesn't just repeatedly crash every BlueKeep vulnerable system would be challenging, and by no means worth the reward. I'm not really worried about a worm, what I'm worried about is something that could be already happening.
Most BlueKeep vulnerable devices are servers. Generally speaking, Windows servers have the ability to control devices on the network. Either they're domain admin, have network management tools installed, or share the same local admin credentials with the rest of the network.
By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network).
The real risk with BlueKeep is not a worm. A worm is pointless and noisy. Once an attacker is on the network, they can do far more damage with standard automated tools than they could ever do with BlueKeep.
Remember all those news stories about entire networks being ransomwared? That starts with a single system being hacked. Not even a server, a normal, non admin, client system. Attackers don't needs worms, it was just convenient in the case of WannaCry/EternalBlue.
People need to stop worrying about worms and start worrying about basic network security. Firewall your servers off from the internet, learn about credential hygiene. Occasionally worms happen, but every day there are entire networks compromised using only standard tools.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with MalwareTech

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!