Microsoft confirms BlueKeep campaign, reiterates call to patch

Microsoft confirms ongoing BlueKeep exploit; teams up with security researchers who initially spotted the attack

Microsoft has confirmed the ongoing BlueKeep exploit, days after researchers disclosed the details of a campaign in the wild. Microsoft Defender ATP research team has announced its collaboration with security researchers Kevin Beaumont and Marcus Hutchins who initially spotted the BlueKeep attack.

SC Media UK this week reported that researchers have finally discovered a BlueKeep campaign in the wild, months after Microsoft disclosed that millions of Windows devices harboured the hackable flaw.

BlueKeep is an unauthenticated remote code execution vulnerability CVE-2019-0708 in remote desktop services (RDP) on Windows 7, Windows Server 2008, and Windows Server 2008 R2.

"Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines," said the Microsoft announcement. 

The Microsoft Defender ATP research team saw that there was an increase in RDP service crashes from 10 to 100 daily starting on 6 September, an increase in memory corruption crashes starting on 9 October, and spotted crashes on external researcher honeypots since 23 October.

"RDP is a valuable mechanism for threat actors to progress their attacks and certainly has a broader utility than simple cryptojacking attempts. RDP remains a widely exposed and vulnerable attack surface and will likely continue in the near future due to the protocol’s prevalent use," Vectra EMEA director Matt Walmsley told SC Media UK.

There have been multiple reports of RDP attacks in the wild. The Vectra 2019 Spotlight Report on RDP lists 26,800 suspicious RDP behaviours in more than 350 deployments.

"RDP remains a very popular technique for cyberattackers, with 90 percent of observed deployments exhibiting RDP attacker behaviour detections," Walmsley told SC Media UK.

"Microsoft security researchers found that an earlier coin-mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin-miner," said the report.

"This indicated that the same attackers were likely responsible for both coin-mining campaigns — they have been actively staging coin-miner attacks and eventually incorporated the BlueKeep exploit into their arsenal."

The Microsoft Defender machine learning models spotted the presence of the coin miner payload used in these attacks on machines in countries including France (18 percent), Russia (16 percent), Italy (10 percent), Spain (nine percent), Ukraine (eight percent), Germany (five percent), the United Kingdom (five percent), and many other countries.

"While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin-miners," warned the report.

"Vulnerabilities of this class have a number of game-over scenarios," agrees Datto CISO Ryan Weeks.

"The weaponisation for mass delivery of a class of malware known as Wipers, malware that destroys data, is one such scenario. A second scenario would be weaponisation to deliver persistent remote access trojans to machines that allow for long term access to subject environments," he told SC Media UK.

"It is more likely though that this will be used to propagate ransomware and crypto-miners as those business models lend themselves to a numbers game, the more machines affected the more profit. It is likely that this exploit will also be used in a non-wormlike capacity for targeted attacks," Weeks said.

A patch was issued for BlueKeep in May. In June, the US department of homeland security announced that it had achieved remote code execution on a computer running a vulnerable version of Windows 2000. The agency listed Windows 2000, Vista, XP, 7 and Windows Server 2003, 2003 R2, 2008, 2008 R2 vulnerable. The US National Security Agency (NSA) also warned Microsoft Windows users to make sure they are using updated systems to guard against the flaw.

Microsoft had pulled the plug on support for older versions of Windows -- 2000, Vista, XP -- years ago, and has repeatedly urged customers to update. The response has been dismal. More than 0.8 million systems online remain vulnerable to Bluekeep, SC Media UK  reported in July. 

While patching is the best solution, there are other compensating controls that can be put in place in case it is delayed, suggested Weeks. 

"Limiting network access to RDP (TCP/3389) to trusted administrative systems only as this will protect against internet and internal attacks, disallowing RDP from the Internet entirely to prevent internet-based attacks, deploying network-level prevention or virtual patching using (IPS or UTM firewalls) that can detect and block exploit attempts as they are sent to vulnerable machines," he explained. 

"The best advice if unable to patch would be to disable RDP and find a more secure method of accessing windows machines remotely on the network until patching can occur or robust compensating controls can be put in place."

Patching is an important step to reduce the attack surface, but RDP will continue to be used illegitimately by attackers who have gained authentic credentials, warned Walmsley.

"That’s why, on top of patching, the ability to monitor and identify malicious use of RDP is increasingly important to security teams seeking to identify and contain attackers before they wreak havoc." he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews