First mass BlueKeep exploitation spotted in the wild

Amateurish coin mining attack discovered six months after the critical Microsoft vulnerability was discovered

Networks connected with each other across the world

The first instance of a cyber attack exploiting the infamous BlueKeep remote desktop protocol (RDP) vulnerability on a massive scale has been spotted in the wild.

Traps set by security researchers have exposed an attempt to weaponise the Windows vulnerability to launch cryptocurrency mining attacks, although it's far from the worst-case scenarios painted when the flaw was first disclosed.

BlueKeep was a 'wormable' remote code execution (RCE) flaw that could give attackers the highest possible privileges on a Windows machine and spread from one vulnerable device to another within a network without any user intervention.

Panic spread following its discovery, with several national security agencies including the National Cyber Security Centre (NCSC) warning businesses the flaw posed a serious security threat

The strength of concern was such that Microsoft even released patches for users still using systems that had long-since been deemed end-of-life, such as Windows XP.

In the six months between its discovery and now, however, these warnings haven't come to fruition.

Kevin Beaumont, the researcher who first discovered BlueKeep, yesterday revealed the first exploitation attempt discovered using his honeypot network built in the wake of the disclosure.

He also shared his findings with Marcus Hutchins, who was instrumental in stopping the WannaCry attack in 2017.

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised," Hutchins wrote in a blog post.

"One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."

He added that although this activity is concerning, much worse scenarios were predicted at first, and this particular exploit has failed to take advantage of the wormable nature of the BlueKeep flaw. Moreover, there are no signs that indiscriminate scanning on vulnerable ports is occurring, as when attackers launched WannaCry.

It's likely more than not that the exploit was devised by a low-level cyber criminal who scanned the internet and infected vulnerable hosts using out-of-the-box penetration testing tools, Hutchins continued.

Beaumont, meanwhile, branded the attack as being anticlimactic due to the fact it involved attempts to spread cryptocurrency mining malware, but warned that it's indicative of dangers to come.

"In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame - coin miners aren't exactly a big threat," he said. "However it is clear people now understand how to execute attacks on random targets, and they are starting to do it.

"This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later'."

He suggested that organisations remove any unpatched endpoints that are directly available on the internet for RDP, until they're patched. He continued that services like shodan.io would be able to find exploitable systems within organisations' IP ranges.

More than 724,000 systems across the web are still exposed to the BlueKeep vulnerability, despite efforts to patch the flaw from Microsoft, he continued, compared to a few million before it was first disclosed. This suggests a handful of systems are simply never security patched.

"If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he added.

Meanwhile, cyber security researcher Graham Cluley told IT Pro that while the attacks don't appear to be working quite as well as the hackers might hope, it's clear things have accelerated in recent months.

"Future attacks may be more successful," he added. "Businesses and home users alike need to ensure that they have defences in place and that their PCs are properly patched."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021