Microsoft experts examined real attempts to exploit BlueKeep

Microsoft experts examined real attempts to exploit BlueKeep and warned users about the growing threat of cyberattacks based on this vulnerability. As the experts found out, the criminals created a new exploit, which is already used to spread malware-crypto miners.

The BlueKeep Vulnerability (CVE-2019-0708) is found in the Remote Desktop Service (RDS) for Windows 7, Windows Server 2008, and Windows Server 2008 R2. It allows you to execute third-party code on your computer and automatically distribute malware within the infrastructure.

A patch for this bug was published in May, however, according to information security analysts, the number of vulnerable machines is still in the hundreds of thousands.

“It’s well worth organisations triple checking what RDP exposure they have facing the internet. It’s still well over half a million BlueKeep vulnerable systems as of fresh scanning this week, including many of the world’s biggest orgs and MSPs”, — for example, posted an independent researcher Kevin Beaumont on Twitter.

Marcus Hutchins
Marcus Hutchins

Kevin Beaumon reported about attempts of mass use of BlueKeep back in late October. He noticed a series of critical errors on the chanotypes that were created specifically to attract BlueKeep malware. As it turned out, the failures were triggered by a new exploit created on the basis of the Metasploit module.

A further investigation, which Microsoft experts and independent researcher Marcus Hutchins connected to, revealed that attackers were trying to install cryptocurrency mining software on vulnerable computers. The exploit used is unstable, which causes numerous critical RDS errors. At the same time, experts emphasize that one should not underestimate the possible successful attacks that remain behind the scenes.

Analysts have linked the crypto-jacker campaign to a series of similar attacks in September. One management server unites all incidents. According to experts, criminals are experimenting with payload delivery systems, and the BlueKeep exploit has expanded the arsenal of attackers in early October.

A significant part of the incidents occurred in France (18%), Russia (16%) and Italy (10%).

Unlike previous, fully automated campaigns using BlueKeep, the October attack organizers manually downloaded the exploit to vulnerable computers. Next, the malware executed a series of PowerShell scripts in order to deploy the miner and gain a foothold on the machine.

Read also: Wordfence experts talked about a massive WP-VCD threat aimed at hacking WordPress

Experts predict that in the future, criminals will use a new exploit to deliver other types of malware. Experts have already found a way to fix the problems that caused critical errors on compromised computers.

“Users urgently need to update the software, paying particular attention to the RDP applications of vendors and other third-party organizations. Such systems often fall outside the scope of the scan, and until users find all such programs, criminals will be able to use BlueKeep without leaving obvious traces in the infrastructure”, – emphasized Microsoft researchers.

Microsoft previously warned of two remote connection service vulnerabilities that resemble BlueKeep. These bugs give crackers full access to the computer, allowing installing and removing programs, editing private data, and creating new administrator accounts.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button