BlueKeep attacks prompt fresh warnings

In Opinions

Amer Owaida, Security Writer at ESET discusses the infamous vulnerability has been exploited for a cryptocurrency mining campaign, but more damaging attacks may still be in store.

Ever since it was discovered six months ago, the BlueKeep vulnerability has had (not only) the cybersecurity community concerned about impending WannaCryptor-style attacks. Earlier in November, Microsoft together with security researchers Kevin Beaumont and Marcus Hutchins shed light on the first malicious campaign that was aimed at exploiting the critical remote code execution (RCE) flaw. The attacks targeted unpatched vulnerable Windows systems to install cryptocurrency mining software, but were a far cry from the damage caused by WannaCryptor aka WannaCry in May 2017.

Tracked as CVE-2019-0708, BlueKeep was found in a Windows component known as Remote Desktop Services. It affects machines running unpatched versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Unfortunately, there is still a great number of systems that haven’t been patched, even though Microsoft rolled out the patch on May 14th.

The first instances of the coin mining campaign date back to October 23rd. Upon further inspection by Microsoft researchers, they found that an earlier campaign that occurred in September used a main implant that contacted the same command-and-control (C&C) servers as the October attack. Machines in a number of countries were affected, including France, Russia, Italy, Spain, Ukraine, Germany, and the United Kingdom.

The attackers have used a BlueKeep exploit that was released by the Metasploit team in September. They would first sweep the internet for machines with vulnerable internet-facing RDP (Remote Desktop Protocol) services, then deploy the exploit and install the cryptocurrency mining software.

The exploit is unstable as can be seen by the multiple recorded RDP-related crashes that were reported by the Microsoft security signals. The crashes were also the reason the attacks were uncovered in October by security researcher Kevin Beaumont after he reported that his honeypots were crashing.

While the attack may seem underwhelming considering the media coverage the BlueKeep vulnerability has received, the worst may still be in store. The vulnerability is ‘wormable’, which means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.

The gravity of the situation should not be underestimated, with Microsoft issuing three alerts since May and urging its users to patch and update vulnerable machines. Earlier this year, the United States’ National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued rare warnings of their own. Recently the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has also echoed the warnings and urged vigilance.

Comments

You may also read!

Almost 90% of organizations compromised and attacked in 2019

Proofpoint, recently released its sixth annual global State of the Phish report, which provides an in-depth look at user phishing

Read More...

SecureLink introduces fastest application security platform to the region

Dubai based risk advisory firm, SecureLink announced signing a distribution partnership for GCC and Egypt with ShiftLeft, the fastest and

Read More...

Forcepoint appoints Nico Popp as its Chief Product Officer

Forcepoint today announced the appointment of Nico Popp as the company’s Chief Product Officer (CPO). In this newly-created role,

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu