WatchBog Scans Systems for BlueKeep Vulnerability
A new version of WatchBog malware that previously targeted and exploited only Linux systems allows the latest variant to scan and identify Windows systems that are vulnerable to BlueKeep exploits. After being launched on the infected machine, WatchBog's BlueKeep RDP (Remote Desktop Protocol) vulnerability scanner attempts to locate vulnerable RDP servers from a list of IPs provided by the malware's command-and-control (C2) server. Researchers believe the threat actors behind WatchBog are developing a list of vulnerable devices to target with a BlueKeep exploit in the future or sell to a third party. WatchBog malware is undetectable by security software at the time of this writing. BlueKeep has the potential to self-replicate and is similar to EternalBlue, which enabled the WannaCry attack in 2017. The NJCCIC advises users and administrators to update vulnerable systems immediately. Users operating in-support systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008 can download updates via the Microsoft Advisory. Users operating End-of-Life systems including Windows 2003 and Windows XP can download updates via the Windows Security Support page, or consider upgrading to a supported version of Windows. Users are also encouraged to review the alert published by the Cybersecurity and Infrastructure Security Agency (CISA). For technical analysis please review Intezer’s blog post and use the YARA rule provided to determine if WatchBog is detected in your environment.