Home / / First BlueKeep attacks prompt fresh warnings

First BlueKeep attacks prompt fresh warnings

The infamous vulnerability may have more damaging attacks may still be in store argues Amer Owaida, a security Writer at ESET

First BlueKeep attacks prompt fresh warnings
Amer Owaida, Security Writer at ESET

Ever since it was discovered six months ago, the BlueKeep vulnerability has had (not only) the cybersecurity community concerned about impending WannaCryptor-style attacks.

Earlier in November, Microsoft together with security researchers Kevin Beaumont and Marcus Hutchins shed light on the first malicious campaign that was aimed at exploiting the critical remote code execution (RCE) flaw. The attacks targeted unpatched vulnerable Windows systems to install cryptocurrency mining software, but were a far cry from the damage caused by WannaCryptor aka WannaCry in May 2017.

Tracked as CVE-2019-0708, BlueKeep was found in a Windows component known as Remote Desktop Services. It affects machines running unpatched versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Unfortunately, there is still a great number of systems that haven’t been patched, even though Microsoft rolled out the patch on May 14th.

The first instances of the coin mining campaign date back to October 23rd. Upon further inspection by Microsoft researchers, they found that an earlier campaign that occurred in September used a main implant that contacted the same command-and-control (C&C) servers as the October attack. Machines in a number of countries were affected, including France, Russia, Italy, Spain, Ukraine, Germany, and the United Kingdom.

The attackers have used a BlueKeep exploit that was released by the Metasploit team in September. They would first sweep the internet for machines with vulnerable internet-facing RDP (Remote Desktop Protocol) services, then deploy the exploit and install the cryptocurrency mining software.

The exploit is unstable as can be seen by the multiple recorded RDP-related crashes that were reported by the Microsoft security signals. The crashes were also the reason the attacks were uncovered in October by security researcher Kevin Beaumont after he reported that his honeypots were crashing.

While the attack may seem underwhelming considering the media coverage the BlueKeep vulnerability has received, the worst may still be in store. The vulnerability is ‘wormable’, which means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.

The gravity of the situation should not be underestimated, with Microsoft issuing three alerts since May and urging its users to patch and update vulnerable machines. Earlier this year, the United States’ National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued rare warnings of their own. Recently the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has also echoed the warnings and urged vigilance.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.