The infamous
vulnerability has been exploited for a cryptocurrency mining campaign, but more
damaging attacks may still be in store.
Ever since it was discovered six months ago,
the BlueKeep vulnerability has had (not only) the cybersecurity community concerned about
impending WannaCryptor-style attacks. Earlier in November, Microsoft together with security researchers
Kevin Beaumont and Marcus Hutchins shed light on the first malicious
campaign that was aimed at exploiting the critical
remote code execution (RCE) flaw. The attacks targeted unpatched vulnerable
Windows systems to install cryptocurrency mining software, but were a far cry
from the damage caused by WannaCryptor aka WannaCry in May 2017.
Tracked as CVE-2019-0708, BlueKeep was found in a Windows component known as Remote Desktop
Services. It affects machines running unpatched versions of Windows XP, Windows
Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server
2008 R2. Unfortunately, there is still a great number of systems that haven’t
been patched, even though Microsoft rolled out the patch on May 14th.
The first instances of the coin mining campaign
date back to October 23rd. Upon further inspection by Microsoft
researchers, they found that an earlier campaign that occurred in September
used a main implant that contacted the same command-and-control (C&C) servers as the October attack. Machines in a number of
countries were affected, including France, Russia, Italy, Spain, Ukraine,
Germany, and the United Kingdom.
The attackers have used a BlueKeep exploit that
was released by the Metasploit team in September. They would first sweep the internet for machines
with vulnerable internet-facing RDP (Remote Desktop Protocol) services, then
deploy the exploit and install the cryptocurrency mining software.
The exploit is unstable as can be seen by the
multiple recorded RDP-related crashes that were reported by the Microsoft
security signals. The crashes were also the reason the attacks were uncovered
in October by security researcher Kevin Beaumont after he reported that his honeypots were
crashing.
While the attack may seem underwhelming considering
the media coverage the BlueKeep vulnerability has received, the worst may still
be in store. The vulnerability is ‘wormable’, which means that future
exploits might use it to spread malware within or outside of networks in similar
ways to what was seen with WannaCryptor.
The gravity of the situation should not be
underestimated, with Microsoft issuing three alerts since May and urging its
users to patch and update vulnerable machines. Earlier this year, the United States’ National Security Agency (NSA) and the
Cybersecurity and Infrastructure Security Agency (CISA) have issued rare
warnings of their own. Recently the Australian Signals Directorate’s
Australian Cyber Security Centre (ACSC) has
also echoed the warnings and urged vigilance.