A working exploit for the Microsoft BlueKeep flaw (CVE-2019-0708) has been developed that allows a full, remote account takeover in 22 seconds with no user interaction required.
The reverse engineer Zǝɹosum0x0 developed a MetaSploit module which allowed the flaw to be exploited. The exploit was combined with the MimiKatz tool to obtain login credentials, which allowed full control of a vulnerable Windows 2008 device to be gained within 22 seconds. The same exploit can be used for attacking a Windows 7 device, although the exploit did not work on Windows Server 2003.
Zǝɹosum0x0 does not plan on releasing details of the exploit, at least not yet, as it would be too dangerous given the number of devices that are still vulnerable to attack. Zǝɹosum0x0 said the exploit may be released once the first mega-worm has struck.
This is not the first exploit to be developed for the flaw, as several security researchers have developed exploits for that work to some degree, although gaining full control of a vulnerable device is difficult. An attack requires multiple stages before device takeover is possible, although several security researchers are close and there are likely to be many threat actors who have made similar progress. To date, no attacks are believed to have occurred in the wild, but it is likely to only be a matter of time before attacks commence.
Microsoft has already issued two warnings about the flaw and the NSA has also expressed concern and has issued a warning to patch promptly.
While patching will prevent exploitation of the flaw, applying the patch may not be possible on systems that cannot have any downtime. After applying the patch, a reboot is required.
0patch has developed a micropatch that can be used to protect systems that cannot be rebooted, and Microsoft has suggested several mitigations that will prevent exploitation of the flaw if the patch cannot be applied. Those mitigations should be applied if the patch or micropatch cannot be implemented. Failure to take any action is likely to result in systems being attacked sooner or later. Given the progress that is being made, sooner is more likely.
Since any missed machine could be attacked and used to gain access to other networked devices, a scan should be performed to identify any devices that have been missed and may be vulnerable. A scanner has been developed and is available on this link.