From exploits to honeypots: How the security community is preparing for BlueKeep’s moment of truth

“Every CISO right now should have a plan already written down to deal with BlueKeep once the exploit starts surfacing."

Two years after the WannaCry ransomware wreaked havoc on the internet, security professionals are having a grim case of déjà-vu. They’ve tallied the internet-facing computers that aren’t patched for BlueKeep, a vulnerability in old Microsoft Windows operating systems, and wonder when that negligence will come home to roost.

“I think everyone is in agreement that once exploits for this are public, it’s going to be bad,” Craig Williams, Cisco Talos’ director of outreach, told CyberScoop.

The BlueKeep vulnerability is in Remote Desktop Services, a popular Windows program that grants remote access to computers for administrative purposes. By abusing that remote access, a hacker could delete data or install a new program on a system.

“Every CISO right now should have a plan already written down to deal with BlueKeep once the exploit starts surfacing,” Williams said. Organizations need layered defenses so that any BlueKeep-based infection “doesn’t spread like wildfire behind what you thought was a protected perimeter,” he added.


WannaCry exploited a different Windows flaw to infect over 200,000 machines in 150 countries, costing Britain’s National Health Service alone more than $100 million. Like WannaCry, BlueKeep is “wormable,” meaning malware abusing the vulnerability could move from infected system to infected system.

Security experts are hoping to avoid a repeat of WannaCry’s wreckage, but they worry that Microsoft’s warning in May about BlueKeep, along with advisories from U.S. security officials, might not have mobilized enough attention to the issue. Rather than wait around for an exploit to emerge, they are developing their own “proofs of concept” (PoC) to raise awareness and help organizations defend themselves.

Last week, antivirus and research firm Sophos released a video of a PoC exploit showing how a hacker could use BlueKeep to go well beyond crashing a Windows system to take remote control of a computer.

Andrew Brandt, principal researcher at Sophos, said the goal of publishing the PoC was to arm security executives with urgent, tangible information when speaking to company leaders about BlueKeep.

“We wanted to give the ammunition to the people who would go into the boardroom and report to the board,” he told CyberScoop.


Developers of the PoCs have to walk a fine line: publish enough information to light a fire under executives without giving miscreants a roadmap for exploiting it in the wild. That sensitivity was underscored by the fact that, according to Sophos, Microsoft did not share additional information on BlueKeep through its Active Protections Program (MAPP), a private channel to help software providers expedite security fixes.

Microsoft’s withholding of BlueKeep-related information for fear of it leaking was understandable, but it also slowed the process for building defenses against potential exploits, Brandt said.

A Microsoft spokesperson declined to comment on why the company reportedly did not release more information about BlueKeep through MAPP. The spokesperson also declined a request to interview a Microsoft security expert on how the company is dealing with BlueKeep. Instead, Microsoft referred CyberScoop to the company’s blog and security guide on the vulnerability and recommended that users patch their old operating systems.

All along the watchtower 

Knowing how an exploit works can help organizations defend against it. Knowing when an exploit surfaces in the wild, and on what scale it is being used, can help researchers sound the alarm when a critical situation risks spinning out of control.


In late May, Kevin Beaumont, the researcher who gave BlueKeep its name, set up a “honeypot” of infrastructure to check for exploitation of the vulnerability in the wild.

That exploitation hasn’t happened yet, but he wants to be ready if it does.

“Eventually that will likely change. I need to know when it does [hence the alerting I’ve set up] as it will raise severity of the issue,” Beaumont told CyberScoop in an email.

He is not alone in checking the internet’s pulse for BlueKeep-related tremors.

Andrew Morris, founder of GreyNoise Intelligence, a company that maps internet traffic, said he had made unusual preparations for what he considers to be the inevitable exploitation of BlueKeep in the wild.


“We had to make some pretty serious changes to our architecture so that when BlueKeep pops off, we’ll be able to catch it,” Morris told CyberScoop. That included setting up servers susceptible to BlueKeep in order to snag malicious traffic looking for the vulnerability.

‘Ghost ships’ carrying malware

Once an exploit for a vulnerability like BlueKeep exists in the wild, the problem never really goes away.

“Think of it like ghost ships floating out there on the internet, completely abandoned by their users, that will be there forever and they will be constantly infected by one malware and then the next, and then the next,” said Williams, the Talos director of outreach.

Every day, machines infected with WannaCry make thousands of attempts to pass the malware on to Sophos customers, Brandt said. “BlueKeep is going to just be another one of those things once there’s a weaponized exploit.”


Chris Krebs, head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said the focus of the cybersecurity community on BlueKeep speaks to the severity of the issue.

“The last time I’ve seen this kind of attention on a vulnerability of this nature was 2017,” Krebs told reporters last month, referring not only to WannaCry, but also the NotPetya wiperware and the Bad Rabbit ransomware. The U.S. government blamed Russia for NotPetya and North Korea for WannaCry. Private-sector researchers also linked Bad Rabbit to Russian hackers.

“And just like WannaCry…the number of vulnerable systems that are showing up on scans – that’s just the tip of the iceberg,” added Krebs, a former Microsoft executive. “What’s behind those within the enterprise?”

“I think sending a pretty strong signal right now to Russia and North Korea would not be a bad thing, saying: ‘Don’t even think about it,’” Krebs said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts