First BlueKeep hacking campaign discovered after months of caution

Researchers discover a BlueKeep campaign, months after Microsoft disclosed that millions of Windows devices harboured the hackable flaw

Researchers have finally discovered a BlueKeep campaign in the wild, months after Microsoft disclosed that millions of Windows devices harboured the hackable flaw.

"It has been almost six months since an eye-opening vulnerability in Microsoft Windows RDP CVE 2019-0708, dubbed BlueKeep, was patched. Today, security researcher Kevin Beaumont posted a Twitter thread reporting BSODs (Blue Screen of Death) across his network of BlueKeep Honeypots," said a Kryptos Logic blog post on 3 November.

Microsoft issued a warning about the BlueKeep vulnerability affecting Remote Desktop Services Protocol (RDP) in May. This is a component common in most versions of Microsoft Windows, which allows remote access to its graphical interface. An external attacker can use this vulnerability to compromise the full system without requiring any form of authentication or user interaction.

"People worked to reverse engineer the patch and build protection and detection, while organisations worked to patch," wrote  Kevin Beaumont in his blog. "I built a worldwide honeypot network to spot exploitation, which I called BluePot."

There was absolutely no threat movements, despite the certainty that advanced threat actors would absolutely look to leverage it. 

In June, the US department of homeland security announced that it has achieved remote code execution on a computer running a vulnerable version of Windows 2000. The agency listed Windows 2000, Vista, XP, 7 and Windows Server 2003, 2003 R2, 2008, 2008 R2 vulnerable.

The US National Security Agency (NSA) also warned Microsoft Windows users to make sure they are using updated systems to guard against the flaw. Several cyber-security researchers demonstrated proof-of-concept exploits for the vulnerability.

"That changed on 23 October," Beaumont wrote. "One of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity."

He alerted Kryptos Logic researcher Marcus Hutchins, one of the first to build a working proof-of-concept for the BlueKeep vulnerability. Hutchins confirmed the suspicions of Beaumont.

"It looks like a BlueKeep worm has finally arrived!," Hutchins tweeted. "Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner."

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised. One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved," said the Kryptos Logic blog post.

"Based on our data,we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities," it added.

However, the threat posed by BlueKeep to the Windows machines used worldwide still remains high. More than 0.8 million systems online remain vulnerable, SC Media UK  reported in July. 

Microsoft had pulled the plug on support for older versions of Windows -- 2000, Vista, XP -- years ago, and has repeatedly urged customers to update. The response has been dismal.

The UK’s NHS recently faced severe criticism from security experts after it disclosed that it still runs more than 2,000 PCs with XP OS. The health service provider is currently executing a £150-million plan to upgrade all systems to Windows 10 by 14 January 2020.

The use of outdated software is prevalent, particularly in the Windows-dominated healthcare sector, where 56 percent of Windows devices still run an outdated operating system. The sector uses internet-connected devices and software that are not always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.

"According to BinaryEdge, there are over 700,000 vulnerable systems that are publicly accessible - including nearly 9,000 in France, over 10,000 in Germany, over 4,500 in Australia and over 100,000 in the United States," commented Satnam Narang, senior research engineer at Tenable.

"The risks here cannot be overstated —  organisations must patch their systems immediately."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews