BlueKeep Attacks Arrive with Cryptomining Malware
The first wave of attacks exploiting the BlueKeep vulnerability have been detected by security researchers. What actions should your IT team take?
The First BlueKeep Attacks Have Struck
The first wave of attacks exploiting the BlueKeep vulnerability have been detected by security researchers; however, the flaw is not being used as a self-spreading worm, as Microsoft was initially warning about since May of this year.
The recent attacks have instead been using a demo BlueKeep exploit to hack into these unsecured and unpatched Windows systems to install a cryptocurrency miner, stealing processing resources from various devices across the globe.
Interestingly, instead of a worm that migrates automatically and spreads instantaneously, the attackers have leveraged the vulnerability’s replicating capability to scan for other vulnerable devices in the Internet to exploit.
What Security Researchers Learned About BlueKeep
Researcher Kevin Beaumont, the expert who named the vulnerability BlueKeep, has been running a worldwide honeypot network (named BluePot) in an effort to catch exploitation attempts. The apparent attacks appear to have begun on October 23, when Beaumont’s honeypots started crashing and rebooting, but he only realized it was due to BlueKeep attack attempts on November 2.
Beaumont analyzed the attacks with assistance from British researcher Marcus Hutchins and they determined that the attackers behind the campaign have been leveraging a BlueKeep ‘Metasploit’ module, released in early September of this year, to then deliver a Monero miner. Monero is a cryptocurrency that relies on proof-of-work mining to achieve distributed consensus.
According to various sources, the hackers do not appear to have attempted to create a worm that spreads inside a network and Beaumont stated that the attacks crashed 10 of the 11 honeypots he was running.
“In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame – coin miners aren’t exactly a big threat – however it is clear people now understand how to execute attacks on random targets, and they are starting to do it. This activity doesn’t cause me to worry, but it does cause my spider sense to say ‘this will get worse, later’,” Beaumont wrote in a blog post.
I don’t think there’s a worm (or at least anything bad enough to care about). There’s finally generic exploitation tho for sure.— Kevin Beaumont (@GossiTheDog) November 2, 2019
How to Handle BlueKeep
It’s clear the BlueKeep vulnerability is still dangerous and can cause disastrous consequences; however, at this time, attackers just haven’t gotten it right.
But why take your chances? The Bluekeep vulnerability (CVE-2019-0708) has patches available from Microsoft for the operating systems it affects:
- Windows XP
- Windows Server 2003 R2
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
Syxsense Manage and Syxsense Secure can easily resolve the vulnerability across the entire environment with a Patch Deploy Task. Simply target all devices for the BlueKeep updates (provided by Syxsense) at a time that’s best for the organization, and rest assured the vulnerability will be remediated within no time.
Experience the Power of Syxsense
Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.