Pierluigi Paganini November 03, 2019

Experts have spotted the first mass-hacking campaign exploiting the BlueKeep exploit, crooks leverage the exploit to install a cryptocurrency miner.

Security researchers have spotted the first mass-hacking campaign exploiting the BlueKeep exploit, the attack aims at installing a cryptocurrency miner on the infected systems.

In May, Microsoft warned users to update their systems to address the remote code execution vulnerability dubbed BlueKeep, A few days later, the National Security Agency (NSA) also urged Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

In June the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on also issued an alert for the same issue.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.

According to the experts, this is the first attempt to exploit the BlueKeep RDP vulnerability in mass-hacking attacks.

Over the last months, many security experts have developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts warned it was a matter of time before threat actors will start exploiting it in the wild and now it is happening. The researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

After the disclosure of the flaw, the popular expert Robert Graham scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

Yesterday, the popular expert Kevin Beaumont observed some of its EternalPot RDP honeypots crashing after being attacked.

The popular expert Marcus Hutchins analyzed data shared by Beaumont and confirmed that attacks the honeypot systems were hit by attackers leveraging the BlueKeep exploits to deliver a Monero Miner.

“Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt. Due to only smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause.” reads a blog post published by Hutchins.

“Finally, we confirm this segment points to executable shellcode. At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module!”

The exploit code includes a sequence of encoded PowerShell commands that compose the attack chain, the last payload is an executable binary, a Monero Miner, downloaded from a remote server and executed on the targeted systems.

Hutchins pointed out that the malicious code involved in the massive attack doesn’t implement self-spreading capabilities.

Currently there is no news about the extent of this attack, it’s unclear how many Windows systems have been compromised with the Monero miner.

“Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack.” concludes the expert. “It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”

Pierluigi Paganini

(SecurityAffairs – hacking, BlueKeep)

[adrotate banner=”5″]

[adrotate banner=”13″]