First mass BlueKeep exploitation spotted in the wild

Amateurish coin mining attack discovered six months after the critical Microsoft vulnerability was discovered

Networks connected with each other across the world

The first instance of a cyber attack exploiting the infamous BlueKeep remote desktop protocol (RDP) vulnerability on a massive scale has been spotted in the wild.

Traps set by security researchers have exposed an attempt to weaponise the Windows vulnerability to launch cryptocurrency mining attacks, although it's far from the worst-case scenarios painted when the flaw was first disclosed.

Advertisement - Article continues below

BlueKeep was a 'wormable' remote code execution (RCE) flaw that could give attackers the highest possible privileges on a Windows machine and spread from one vulnerable device to another within a network without any user intervention.

Panic spread following its discovery, with several national security agencies including the National Cyber Security Centre (NCSC) warning businesses the flaw posed a serious security threat

The strength of concern was such that Microsoft even released patches for users still using systems that had long-since been deemed end-of-life, such as Windows XP.

In the six months between its discovery and now, however, these warnings haven't come to fruition.

Kevin Beaumont, the researcher who first discovered BlueKeep, yesterday revealed the first exploitation attempt discovered using his honeypot network built in the wake of the disclosure.

He also shared his findings with Marcus Hutchins, who was instrumental in stopping the WannaCry attack in 2017.

Advertisement
Advertisement - Article continues below

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised," Hutchins wrote in a blog post.

Advertisement - Article continues below

"One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."

He added that although this activity is concerning, much worse scenarios were predicted at first, and this particular exploit has failed to take advantage of the wormable nature of the BlueKeep flaw. Moreover, there are no signs that indiscriminate scanning on vulnerable ports is occurring, as when attackers launched WannaCry.

It's likely more than not that the exploit was devised by a low-level cyber criminal who scanned the internet and infected vulnerable hosts using out-of-the-box penetration testing tools, Hutchins continued.

Beaumont, meanwhile, branded the attack as being anticlimactic due to the fact it involved attempts to spread cryptocurrency mining malware, but warned that it's indicative of dangers to come.

Advertisement - Article continues below

"In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame - coin miners aren't exactly a big threat," he said. "However it is clear people now understand how to execute attacks on random targets, and they are starting to do it.

"This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later'."

He suggested that organisations remove any unpatched endpoints that are directly available on the internet for RDP, until they're patched. He continued that services like shodan.io would be able to find exploitable systems within organisations' IP ranges.

More than 724,000 systems across the web are still exposed to the BlueKeep vulnerability, despite efforts to patch the flaw from Microsoft, he continued, compared to a few million before it was first disclosed. This suggests a handful of systems are simply never security patched.

Advertisement - Article continues below

"If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he added.

Meanwhile, cyber security researcher Graham Cluley told IT Pro that while the attacks don't appear to be working quite as well as the hackers might hope, it's clear things have accelerated in recent months.

"Future attacks may be more successful," he added. "Businesses and home users alike need to ensure that they have defences in place and that their PCs are properly patched."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020