12.11.19

First BlueKeep attacks prompt fresh warnings



The infamous vulnerability has been exploited for a cryptocurrency mining campaign, but more damaging attacks may still be in store.

Ever since it was discovered six months ago, the BlueKeep vulnerability has had (not only) the cybersecurity community concerned about impending WannaCryptor-style attacks. Earlier in November, Microsoft together with security researchers Kevin Beaumont and Marcus Hutchins shed light on the first malicious campaign that was aimed at exploiting the critical remote code execution (RCE) flaw. The attacks targeted unpatched vulnerable Windows systems to install cryptocurrency mining software, but were a far cry from the damage caused by WannaCryptor aka WannaCry in May 2017.

Tracked as CVE-2019-0708, BlueKeep was found in a Windows component known as Remote Desktop Services. It affects machines running unpatched versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Unfortunately, there is still a great number of systems that haven’t been patched, even though Microsoft rolled out the patch on May 14th.

The first instances of the coin mining campaign date back to October 23rd. Upon further inspection by Microsoft researchers, they found that an earlier campaign that occurred in September used a main implant that contacted the same command-and-control (C&C) servers as the October attack. Machines in a number of countries were affected, including France, Russia, Italy, Spain, Ukraine, Germany, and the United Kingdom.

The attackers have used a BlueKeep exploit that was released by the Metasploit team in September. They would first sweep the internet for machines with vulnerable internet-facing RDP (Remote Desktop Protocol) services, then deploy the exploit and install the cryptocurrency mining software.

The exploit is unstable as can be seen by the multiple recorded RDP-related crashes that were reported by the Microsoft security signals. The crashes were also the reason the attacks were uncovered in October by security researcher Kevin Beaumont after he reported that his honeypots were crashing.

While the attack may seem underwhelming considering the media coverage the BlueKeep vulnerability has received, the worst may still be in store. The vulnerability is ‘wormable’, which means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.

The gravity of the situation should not be underestimated, with Microsoft issuing three alerts since May and urging its users to patch and update vulnerable machines. Earlier this year, the United States’ National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued rare warnings of their own. Recently the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has also echoed the warnings and urged vigilance.