Hacking

First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

Experts have spotted the first mass-hacking campaign exploiting the BlueKeep exploit, crooks leverage the exploit to install a cryptocurrency miner.

Security researchers have spotted the first mass-hacking campaign exploiting the BlueKeep exploit, the attack aims at installing a cryptocurrency miner on the infected systems.

In May, Microsoft warned users to update their systems to address the remote code execution vulnerability dubbed BlueKeep, A few days later, the National Security Agency (NSA) also urged Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

In June the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on also issued an alert for the same issue.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.

According to the experts, this is the first attempt to exploit the BlueKeep RDP vulnerability in mass-hacking attacks.

Over the last months, many security experts have developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts warned it was a matter of time before threat actors will start exploiting it in the wild and now it is happening. The researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

After the disclosure of the flaw, the popular expert Robert Graham scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

Yesterday, the popular expert Kevin Beaumont observed some of its EternalPot RDP honeypots crashing after being attacked.

The popular expert Marcus Hutchins analyzed data shared by Beaumont and confirmed that attacks the honeypot systems were hit by attackers leveraging the BlueKeep exploits to deliver a Monero Miner.

“Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt. Due to only smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause.” reads a blog post published by Hutchins.

“Finally, we confirm this segment points to executable shellcode. At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module!”

The exploit code includes a sequence of encoded PowerShell commands that compose the attack chain, the last payload is an executable binary, a Monero Miner, downloaded from a remote server and executed on the targeted systems.

Hutchins pointed out that the malicious code involved in the massive attack doesn’t implement self-spreading capabilities.

Currently there is no news about the extent of this attack, it’s unclear how many Windows systems have been compromised with the Monero miner.

“Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack.” concludes the expert. “It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlueKeep)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.