The Bluekeep vulnerability exists in unpatched Windows server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
“BlueKeep,” a remote code execution vulnerability, is currently infecting vulnerable Windows machines on a massive scale. The vulnerability, similar in effect to the WannaCry bug from 2017, is executing with a crypto-miner payload, most likely, Monero.
According to a security researcher, Kevin Beaumont, who first named the vulnerability, the malware infected several honeypots in his EternalPot RDP honeypot network, causing machines to crash and reboot. However, devices in Australia did not crash as reported in Bleeping Computer recently.
The researcher estimates that more than 724,000 systems worldwide are susceptible to BlueKeep exploitation. That number could be higher given the slow pace most users take in patching their systems.
Web-facing vulnerable machines are attacked for cryptocurrency mining purposes. Lately, crypto-mining exploits have gained popularity amongst cyber-criminals due to the perceived quick paydays.
What is “BlueKeep”?
BlueKeep (CVE-2019-0789), is a severe remote execution vulnerability that allows malware to spread on connected systems without user intervention.
According to Marcus Hutchins, also known as “MalwareTech,” and the guy responsible for stopping WannaCry on its track:
“BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale.”
The malware, however, might not be a worm but is still mass-exploiting the BlueKeep bug. Cyber-criminals are likely using a BlueKeep scanner to find vulnerable, connected systems and dropping the cryptocurrency miners on them.
According to MalwareTech, the final payload is a crypto-miner, likely for Monero, which is currently detected by 25 out of 68 antivirus engines.
The current attack seems focused on port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP) on Windows Machines.
BlueKeep doesn’t affect all Windows machines. The vulnerability exists in unpatched Windows server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Since BlueKeep has been weaponized, it could be used to deliver more lethal threats in addition to cryptocurrency miners, ransomware among others. A good example is a BlueKeep related ransomware attack in Spain on Nov 4th which created media hysteria and disruptions in Spain’s largest radio station.
Securing Your Computer
Microsoft patched the vulnerability back on May 14, following the concerns raised by governments, security companies, among others.
However, most people and institutions haven’t patched their systems.
At the enterprise level, the worldwide patch rate stood at 83% in June. That’s not counting consumer machines. Cyber-criminals are likely targeting consumer computers according to reports.
Update your system and keep it updated to guard against the BlueKeep vulnerability. Also, ensure that your Antivirus or Anti-Malware is up to date.