Security researchers have spotted the first mass-hacking campaign using the BlueKeep exploit; however, the exploit is not being used as a self-spreading worm, as Microsoft was afraid it would happen last May when it issued a dire warning and urged users to patch.
Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.
This BlueKeep campaign has been happening at scale for almost two weeks, but it’s been only spotted today by cybersecurity expert Kevin Beaumont.
The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet.
The attacks discovered by Beaumont are nowhere near the scale of the attacks Microsoft was afraid of back in May, when it likened BlueKeep to EternalBlue, the exploit at the heart of the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.
Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from an unpatched system to another unpatched system.
However, the first mass-hacking operation didn’t turn out to include self-spreading, worm-like capabilities. Instead, the hackers appear to search for Windows systems with RDP ports left exposed on the internet, deploy the BlueKeep Metasploit exploit, and later a cryptocurrency miner.
Update: according to netflow it doesn’t appear to be self propagating, I assume a list of vulnerable IPs are being fed to a server which performs the exploitation.
— MalwareTech (@MalwareTechBlog) November 3, 2019
I don’t think there’s a worm (or at least anything bad enough to care about). There’s finally generic exploitation tho for sure.
— Kevin Beaumont (@GossiTheDog) November 2, 2019
FWIW, re:#BlueKeep we’re seeing a small uptick in 3389 related traffic at the @RenditionSec SOC, but not consistent with a worm. I would guess either:
1. It’s not a worm
2. Enough machines have been patched or the exploit is too unreliable for a worm to reach critical mass
— Jake Williams (@MalwareJake) November 2, 2019
But these particular BlueKeep attacks don’t seem to work. Beaumont told ZDNet that the attacks crashed 10 of the 11 honeypots he was running.
This shows the attacker’s exploit code doesn’t work as they intend.
This fits right in with what most experts have said about BlueKeep for the past few months. The BlueKeep exploit can have devastating consequences, but it’s hard to get an exploit working without crashing the OS with a Blue Screen of Death (BSOD) error.
The person/group behind the recent attacks doesn’t appear to have the know-how needed to modify the BlueKeep demo exploit released by the Metasploit team back in September, which is a good thing. However, some of their attacks have succeeded.
What we are seeing today from this threat actor is the first hacking group that is trying to weaponize this dangerous exploit in an operation at scale, rather than at a specific target.
But ZDNet is also aware that other hackers have used BlueKeep in more targeted attacks, and have used it successfully.
At one point in the future, some low-skilled threat actors will figure out how to run BlueKeep properly, and that’s when we’ll see it used more broadly. Chances are that it’s still going to be used to mine cryptocurrency — the same thing for which EternalBlue is also mostly used nowadays.
BlueKeep patch information
BlueKeep is a nickname given to CVE-2019-0708, a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service. It impacts only:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
Patches have been available since mid-May 2019. See official Microsoft advisory.
A first public demo BlueKeep exploit was released for the Metasploit penetration testing framework back in September. It was released to help system administrators test vulnerable systems, but it can also be re-purposed by malicious actors. Tens of other private exploits have existed since June, developed by cyber-security firms, but kept private in order to avoid helping attackers.
Despite having months to patch systems, the latest headcount of publicly-accessible Windows systems that expose an RDP endpoint online and are vulnerable to BlueKeep is at around 750,000. These scans don’t include systems inside private networks, behind firewalls.