The software giant's Microsoft Defender ATP Research Team published a blog post (opens in new tab) in which they warned of increased BlueKeep activity, saying: “Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines.”
The researchers also noted that the BlueKeep attacks reported earlier this month by security researcher Kevin Beaumont were connected with a coin mining campaign that used the same command-and-control servers to launch attacks on vulnerable systems. Beaumont even went so far as to create a global honeypot network to detect the development of BlueKeep exploits in the wild. However, the network first crashed at the beginning of October and following this crash, all of the remaining honeypots except for those in Australia were also taken offline.
- Many SMBs are running outdated operating systems
- Windows users must patch PCs against BlueKeep, NSA warns
- Microsoft warns on Windows 7 Pro end of life
Security researcher Marcus Hutchins (aka MalwareTech) also confirmed that this series of BlueKeep exploit attacks were still underway. Microsoft worked with both security researchers to investigate the crashes and it was then that they discovered they were caused by a BlueKeep exploit module.
In early September, Microsoft deployed a behavioral detection system for the BlueKeep Metasploit module. The company observed RDP service crashes had increased from 10 to 100 per day in September and a similar spike occurred in early October.
BlueKeep is a remote code execution vulnerability that is also wormable which affects Windows XP, Windows 7, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability itself is pre-authentication and this means that it requires no user interaction to be exploited.
However, the attacks that were launched earlier this month did not deploy any wormable malware. Instead the cybercriminals behind this recent wave of attacks scanned the web for vulnerable machines and attacked unpatched systems by deploying a BlueKeep exploit followed by a cryptocurrency miner.
Microsoft believes that this is just the beginning and that the worst is yet to come as the attackers will refine their attacks and use BlueKeep to deliver malicious payload which are much worse than coin miners.
To avoid falling victim to BlueKeep, it is highly recommended that you patch any older Windows operating systems and consider upgrading to the latest version of Microsoft's operating system.
- Keep your devices protected with the best antivirus software
Via The Inquirer (opens in new tab)