First mass BlueKeep exploitation spotted in the wild

Amateurish coin mining attack discovered six months after the critical Microsoft vulnerability was discovered

Networks connected with each other across the world

The first instance of a cyber attack exploiting the infamous BlueKeep remote desktop protocol (RDP) vulnerability on a massive scale has been spotted in the wild.

Traps set by security researchers have exposed an attempt to weaponise the Windows vulnerability to launch cryptocurrency mining attacks, although it's far from the worst-case scenarios painted when the flaw was first disclosed.

BlueKeep was a 'wormable' remote code execution (RCE) flaw that could give attackers the highest possible privileges on a Windows machine and spread from one vulnerable device to another within a network without any user intervention.

Panic spread following its discovery, with several national security agencies including the National Cyber Security Centre (NCSC) warning businesses the flaw posed a serious security threat

The strength of concern was such that Microsoft even released patches for users still using systems that had long-since been deemed end-of-life, such as Windows XP.

In the six months between its discovery and now, however, these warnings haven't come to fruition.

Kevin Beaumont, the researcher who first discovered BlueKeep, yesterday revealed the first exploitation attempt discovered using his honeypot network built in the wake of the disclosure.

He also shared his findings with Marcus Hutchins, who was instrumental in stopping the WannaCry attack in 2017.

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised," Hutchins wrote in a blog post.

"One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."

He added that although this activity is concerning, much worse scenarios were predicted at first, and this particular exploit has failed to take advantage of the wormable nature of the BlueKeep flaw. Moreover, there are no signs that indiscriminate scanning on vulnerable ports is occurring, as when attackers launched WannaCry.

It's likely more than not that the exploit was devised by a low-level cyber criminal who scanned the internet and infected vulnerable hosts using out-of-the-box penetration testing tools, Hutchins continued.

Beaumont, meanwhile, branded the attack as being anticlimactic due to the fact it involved attempts to spread cryptocurrency mining malware, but warned that it's indicative of dangers to come.

"In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame - coin miners aren't exactly a big threat," he said. "However it is clear people now understand how to execute attacks on random targets, and they are starting to do it.

"This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later'."

He suggested that organisations remove any unpatched endpoints that are directly available on the internet for RDP, until they're patched. He continued that services like shodan.io would be able to find exploitable systems within organisations' IP ranges.

More than 724,000 systems across the web are still exposed to the BlueKeep vulnerability, despite efforts to patch the flaw from Microsoft, he continued, compared to a few million before it was first disclosed. This suggests a handful of systems are simply never security patched.

"If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he added.

Meanwhile, cyber security researcher Graham Cluley told IT Pro that while the attacks don't appear to be working quite as well as the hackers might hope, it's clear things have accelerated in recent months.

"Future attacks may be more successful," he added. "Businesses and home users alike need to ensure that they have defences in place and that their PCs are properly patched."

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021