Microsoft Warns Users: Beware of Damaging BlueKeep AttacksSoftware Giant Says Exploits Could Expand Beyond Cryptomining
Now that security researchers have located the first exploits that take advantage of the BlueKeep vulnerability in Windows, Microsoft is warning users to apply patches the company issued for this flaw before more dangerous exploits merge.
Microsoft issued yet another warning about BlueKeep in the wake of a report that attackers had used the vulnerability to plant cryptomining malware on some devices (see: BlueKeep Attacks Arrive, Bearing Cryptomining Malware).
And while cryptomining malware is not considered a major threat to enterprises, Microsoft notes that with so many Windows devices left unpatched for the BlueKeep vulnerability - one analyst estimates the number of unpatched systems at over 700,000 globally - it's only a matter of time before a much more dangerous exploit is developed by threat actors.
"The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check," Microsoft notes. "Customers are encouraged to identify and update vulnerable systems immediately."
BlueKeep, which is also known as CVE-2019-070, is a potentially wormable vulnerability found in the remote desktop protocol feature in older versions of the Windows operating system.
The older versions of Windows affected by the BlueKeep vulnerability include XP, Windows 7, Windows 2003 and Windows Server 2008, according to Microsoft. Windows 8 and Windows 10, however, are immune, the company says.
And while the cryptominer malware that the researchers found earlier this month was not wormable, the risk posed by a worm-like attack scenario is substantial because it could play out similar to how the WannaCry and NotPetya ransomware attacks spread in 2017.
The U.S. Department of Homeland Security and the National Security Agency have each issued alerts to organizations, advising them to immediately patch all systems to eliminate the BlueKeep vulnerability from their IT environments.
First Exploits Described
On Nov. 3, independent security researcher Kevin Beaumont wrote a blog post describing the first exploits to use BlueKeep. As part of a research project, Beaumont set up honeypots to monitor for BlueKeep exploitation efforts against systems that have port 3389 - used for RDP - exposed to the open internet.
In his blog post, Beaumont writes that his honeypots started crashing on Oct. 23, apparently as a result of attackers' attempts to exploit BlueKeep. The researcher has stressed that the exploits he found did not have worm-like capabilities; instead, the malicious code delivered a "coin miner," an application that mines virtual currency.
Microsoft has been working with Beaumont and another researcher, Marcus Hutchins, who is also known as MalwareTech, to investigate and analyze these exploits to determine if there's potential for more damaging attacks related to the BlueKeep vulnerability, the company says.
On Sunday, Beaumont wrote on Twitter than no new exploits have been spotted over the last several days.
I am keeping an eye on the BlueKeep exploitation stuff btw. I deployed more sensor honeypots too. I haven't seen any in the wild attacks for almost three days, maybe the attackers also got Death Stranding.— Kevin Beaumont (@GossiTheDog) November 10, 2019
In their own analysis, Microsoft researchers note that the same unnamed threat actor appears to be behind several types of cryptomining attacks using BlueKeep. The company spotted a campaign in September that is similar to the one Beaumont describes from October. In both cases, the coin-mining implants communicated with the same command-and-control server, according to the new Microsoft warning.
"Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner," according to the company. "This indicated that the same attackers were likely responsible for both coin mining campaigns - they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal."
And while Beaumont and other researchers have downplayed the threat posed by cryptomining attacks, Beaumont adds that if an attacker ever develops a wormable exploit, it would change the scenario. "If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he writes.
In its analysis, Microsoft notes that if attackers could deliver cryptomining malware to unpatched devices, it's possible that new exploits could deliver even more malicious payloads. "We cannot discount enhancements that will likely result in more effective attacks," the company says.