First mass BlueKeep exploitation spotted in the wild

Amateurish coin mining attack discovered six months after the critical Microsoft vulnerability was discovered

Networks connected with each other across the world

The first instance of a cyber attack exploiting the infamous BlueKeep remote desktop protocol (RDP) vulnerability on a massive scale has been spotted in the wild.

Traps set by security researchers have exposed an attempt to weaponise the Windows vulnerability to launch cryptocurrency mining attacks, although it's far from the worst-case scenarios painted when the flaw was first disclosed.

Advertisement - Article continues below

BlueKeep was a 'wormable' remote code execution (RCE) flaw that could give attackers the highest possible privileges on a Windows machine and spread from one vulnerable device to another within a network without any user intervention.

Panic spread following its discovery, with several national security agencies including the National Cyber Security Centre (NCSC) warning businesses the flaw posed a serious security threat

The strength of concern was such that Microsoft even released patches for users still using systems that had long-since been deemed end-of-life, such as Windows XP.

In the six months between its discovery and now, however, these warnings haven't come to fruition.

Kevin Beaumont, the researcher who first discovered BlueKeep, yesterday revealed the first exploitation attempt discovered using his honeypot network built in the wake of the disclosure.

He also shared his findings with Marcus Hutchins, who was instrumental in stopping the WannaCry attack in 2017.

Advertisement - Article continues below

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised," Hutchins wrote in a blog post.

Advertisement - Article continues below

"One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."

He added that although this activity is concerning, much worse scenarios were predicted at first, and this particular exploit has failed to take advantage of the wormable nature of the BlueKeep flaw. Moreover, there are no signs that indiscriminate scanning on vulnerable ports is occurring, as when attackers launched WannaCry.

It's likely more than not that the exploit was devised by a low-level cyber criminal who scanned the internet and infected vulnerable hosts using out-of-the-box penetration testing tools, Hutchins continued.

Beaumont, meanwhile, branded the attack as being anticlimactic due to the fact it involved attempts to spread cryptocurrency mining malware, but warned that it's indicative of dangers to come.

Advertisement - Article continues below

"In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame - coin miners aren't exactly a big threat," he said. "However it is clear people now understand how to execute attacks on random targets, and they are starting to do it.

"This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later'."

He suggested that organisations remove any unpatched endpoints that are directly available on the internet for RDP, until they're patched. He continued that services like would be able to find exploitable systems within organisations' IP ranges.

More than 724,000 systems across the web are still exposed to the BlueKeep vulnerability, despite efforts to patch the flaw from Microsoft, he continued, compared to a few million before it was first disclosed. This suggests a handful of systems are simply never security patched.

Advertisement - Article continues below

"If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he added.

Meanwhile, cyber security researcher Graham Cluley told IT Pro that while the attacks don't appear to be working quite as well as the hackers might hope, it's clear things have accelerated in recent months.

"Future attacks may be more successful," he added. "Businesses and home users alike need to ensure that they have defences in place and that their PCs are properly patched."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020