Jump to content

BlueKeep attacks are happening, but it's not a worm


Recommended Posts

After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been.



Microsoft first announced the BlueKeep vulnerability in May; now, hackers have finally caught up with it.


When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario.


Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide.


But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic.


"BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits."


Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days.


Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a "crashdump," forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware's authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September.


It's unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. "I've seen a spike, but not the level I'd expect from a worm," says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients' networks for signs of exploitation. "It hasn’t hit critical mass yet."


In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending. "Every month that passes by without a worm happening, more people patch and the vulnerable population goes down," Williams says. "Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it."


But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn't passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft's lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage.


In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. "A BlueKeep exploit is perfect for getting more systems to mine from," says Hutchins. "It’s not necessarily going to affect whether someone still makes a ransomware worm at some point." If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet.



Link to comment
Share on other sites

  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

  • steven36


  • Marcus Thunder


  • zanderthunder



Hackers are using BlueKeep to break into Windows systems and install a cryptocurrency miner.





Security researchers have spotted the first mass-hacking campaign using the BlueKeep exploit; however, the exploit is not being used as a self-spreading worm, as Microsoft was afraid it would happen last May when it issued a dire warning and urged users to patch.


Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.


This BlueKeep campaign has been happening at scale for almost two weeks, but it's been only spotted today by cybersecurity expert Kevin Beaumont.


The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet.


Beaumont's discovery was confirmed by Marcus "MalwareTech" Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who's a recognized expert in the BlueKeep exploit.


The attacks discovered by Beaumont are nowhere near the scale of the attacks Microsoft was afraid of back in May, when it likened BlueKeep to EternalBlue, the exploit at the heart of the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.


Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from unpatched system to unpatched system.


However, the first mass-hacking operation didn't turn out to include self-spreading, worm-like capabilities. Instead, the hackers appear to search for Windows systems with RDP ports left exposed on the internet, deploy the BlueKeep Metasploit exploit, and later a cryptocurrency miner.


But these particular BlueKeep attacks don't seem to work. Beaumont told ZDNet that the attacks crashed 10 of the 11 honeypots he was running.


This shows the attacker's exploit code doesn't work as they intend.


This fits right in with what most experts have said about BlueKeep for the past few months. The BlueKeep exploit can have devastating consequences, but it's hard to get an exploit working without crashing the OS with a Blue Screen of Death (BSOD) error.


The person/group behind the recent attacks doesn't appear to have the know-how needed to modify the BlueKeep demo exploit released by the Metasploit team back in September, which is a good thing. However, some of their attacks have succeeded.


What we are seeing today from this threat actor is the first hacking group that is trying to weaponize this dangerous exploit in an operation at scale, rather than at a specific target.


But ZDNet is also aware that other hackers have used BlueKeep in more targeted attacks, and have used it successfully.

At one point in the future, some low-skilled threat actor will figure out how to run BlueKeep properly, and that's when we'll see it used more broadly. Chances are that it's still going to be used to mine cryptocurrency -- the same thing for which EternalBlue is also mostly used nowadays.



BlueKeep is a nickname given to CVE-2019-0708, a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service. It impacts only:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008


Patches have been available since mid-May 2019. See official Microsoft advisory.


A first public demo BlueKeep exploit was released for the Metasploit penetration testing framework back in September. It was released to help system administrators test vulnerable systems, but it can also be re-purposed by malicious actors. Tens of other private exploits have existed since June, developed by cyber-security firms, but kept private in order to avoid helping attackers.


Despite having months to patch systems, the latest headcount of publicy-accessible Windows systems that expose an RDP endpoint online and are vulnerable to BlueKeep is at around 750,000. These scans don't include systems inside private networks, behind firewalls.


Source: BlueKeep attacks are happening, but it's not a worm (via ZDNet)

Link to comment
Share on other sites

Marcus Thunder

I got that every 30 min yesterday on my patched windows 7. I assume Microsoft patches do not close RDP or SMB ports in the firewall, they just prevent the execution of the vulnerabilities... am i right?


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...