Microsoft Fights Off BlueKeep worm - ThreatWire Crosspost (Patreon)

By Shannon Morse, ThreatWire 

Back in May, Microsoft warned users about a serious critical vulnerability called BlueKeep, which could let an attacker take over machines remotely with no actions from the user. Microsoft was worried that this bug could act like a worm, infecting millions of PCs. BlueKeep was sitting on around 900,000 computers reportedly in May, but Microsoft worked hard to get patches out as soon as possible. BlueKeep is a bug within the Remote Desktop Protocol that affected Windows 7 and earlier OSs. For months, security experts have warned that BlueKeep would be used to start a global attack on machines as a worm to spread malware - and while something has happened, it’s not as bad as our paranoia would make it seem.

Researchers created honeypots to bait attackers into infecting them so they could watch and track the bugs development and they finally did get hit with BlueKeep. But instead of being used to spread a worm, it has been used to install cryptocurrency miners, so experts don’t believe this will be used to spread to other infected machines. The attacker seems to have just scanned the internet for already vulnerable machines.

The spread of BlueKeep attacks for cryptomining was first spotted by Kevin Beaumont who noticed the RDP honeypots simultaneously crashing, dating back to October 23. The crashes happened on several honeypots, which led Beaumont to believe that the exploit isn’t working as intended. This isn’t necessarily surprising since BlueKeep can often lead to a Blue Screen of Death. He alerted security research Marcus Hutchins who analyzed the crash dump for more information. Hutchins found code for BlueKeep as well as a Monero Miner.

According to Marcus Hutchins at Kryptos Logic, the attacker is spraying exploits at vulnerable machines. In this case the author is using a version of BlueKeep that was included in Metasploit, a penetration testing framework that was made public in September.  Vulnerable machines are then infected with the cryptominer. Since this is the version included in Metasploit, researchers also think the attacker doesn’t understand how to modify the original code.

Experts now believe that we haven’t seen an epidemic thanks to Windows releasing patches to remedy the situation, and attackers likely do not see a monetary gain that would make the time dedicated to an attack worth it.

At this time, 735,000 Windows machines are still vulnerable, so the threat of another BlueKeep attack is completely possible and users are still advised to patch.

BlueKeep

https://www.wired.com/story/microsoft-bluekeep-patched-too-slow/

https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/

https://www.zdnet.com/article/bluekeep-attacks-are-happening-but-its-not-a-worm/

https://thehackernews.com/2019/11/bluekeep-rdp-vulnerability.html

https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/

Support me on alternative platforms! https://snubsie.com/support

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire