Microsoft reported in May 2019 something about the BlueKeep exploit. It is a CVE-2019-0708 vulnerability, which is a serious remote code execution flaw identified in Windows Remote Desktop Services. The cybersecurity community anticipated the creation of this weaponized tool and usage in massive attacks. The very first large attacks employing a BlueKeep exploit were uncovered this weekend.
Shortly after Microsoft reported the vulnerability, a lot of security researchers made proof-of-concept exploits specifically for BlueKeep. One such exploit permitted a researcher to remotely take over a vulnerable computer system in only 22 seconds. The researchers postponed publishing their PoC’s because of the criticality of the threat and the volume of devices that could be vulnerable to attack. In the beginning, countless of internet-connected gadgets were in danger, which includes close to one million Internet of Things (IoT) devices.
The BlueKeep vulnerability could be taken advantage of remotely just by transmitting an exclusively created RDP request. User interaction is not necessary to manipulate the vulnerability. The flaw is also like a worm, it’s possible to pass on self-propagating malware from one vulnerable computer to one more on an identical network.
Microsoft announced a number of alerts concerning the vulnerability, which has an effect on earlier Windows versions including Windows Server 2003 and 2008, Windows 7 and Windows XP. Organizations and end-users were told to implement the patch without delay to avert the exploitation of the flaw. The NSA, GCHQ, and other government institutions worldwide issued warnings. The cybersecurity community has likewise notified firms and consumers concerning the threat of attack, with lots of people sensing the creation of a weaponized exploit in just weeks.
Although the patch was available 5 months ago, patching was slow-moving as close to 724,000 devices haven’t used the patch yet. There will be a noticeably bigger total volume of vulnerable devices as scans don’t consist of devices secured by firewalls.
Right after the announcement of the vulnerability, security researcher Kevin Beaumont established a worldwide network of Remote Desktop Protocol (RDP) honeypots that were intended to be attacked. After weeks and months, there was no attempt made to exploit the vulnerabilities. Then on November 2, 2019, researcher Beaumont identified the attack of the honeypots. The first honeypot attack on October 23, 2019 caused the system to crash and reboot, then other attacks followed aside from the Australian honeypot. Although the attack was discovered this weekend, the campaign has actually started at least two weeks ago.
Security researcher Marcus Hutchins, aka MalwareTech examined the crash dumps from the attacks. Hutchins was the guy who found and activated a kill switch to stop the WannaCry ransomware attacks in May 2017. Hutchins located artifacts in the memory revealing the use of the BlueKeep vulnerability to attack the honeypots and shellcode indicating the exploitation of the vulnerability to transmit a cryptocurrency miner, probably for Monero.
Luckily, the hackers were likely low-level threat actors who have never exploited the maximum potential of the vulnerability. They have yet to develop a self-replicating worm and used the vulnerability only to propagate cryptocurrency mining malware on vulnerable devices through an internet-exposed RDP port. The attacker(s) likely used a BlueKeep exploit that was released on the Metasploit framework in September.
Because of the honeypot system and the failure to use the vulnerability on all 11 honeypots, it’s likely that the exploit is not working as planned and has not been altered so that it works properly. Nevertheless, this is a massive attack and some attacks were.
The BlueKeep vulnerability had been exploited before by threat actors in smaller sized more focused attacks with success, but this is the first massive-exploitation of BlueKeep.
If threat actors learn how to exploit the full potential of the BlueKeep vulnerability and develop a self-propagating worm, all unpatched devices can be attacked, even those on internal networks. Those attacks will not just slow down computers while mining cryptocurrency. Wiper attacks identical to NotPetya may also possibly be conducted. The shipping firm Maersk spent about $300 million because of the attack.
Stopping these attacks is easy. Apply Microsoft’s patch on all affected computers as soon as possible.