Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BlueKeep Attacks Crash Systems Due to Meltdown Patch

The recent attacks exploiting the BlueKeep vulnerability to deliver cryptocurrency miners caused some systems to crash due to a Meltdown patch being deployed on the targeted machines.

The recent attacks exploiting the BlueKeep vulnerability to deliver cryptocurrency miners caused some systems to crash due to a Meltdown patch being deployed on the targeted machines.

The BlueKeep vulnerability, officially tracked as CVE-2019-0708, affects Windows Remote Desktop Services (RDS) and it allows an unauthenticated attacker to execute arbitrary code by sending specially crafted Remote Desktop Protocol (RDP) requests. Microsoft released patches, including for unsupported versions of Windows, in May.

The BlueKeep attacks used an exploit based on a Metasploit module released in September. While the attackers attempted to deliver a Monero miner, the exploit caused many of the targeted systems to crash, which actually led to researchers discovering the attacks.

Researcher Sean Dillon, aka zerosum0x0, who is one of the developers of the BlueKeep Metasploit module, has conducted an analysis and determined that the exploit likely causes devices to crash due to the presence of a patch for the Intel CPU vulnerability known as Meltdown. Dillon said his BlueKeep exploit development setup did not have the Meltdown patch installed, which is why he did not observe the crashes.

The researcher has proposed a fix that should make the exploit more reliable. In the meantime, Kevin Beaumont, the expert whose honeypots caught the BlueKeep exploitation attempts, says he has deployed more sensors, including ones that have been configured to make exploitation more stable. However, he stopped seeing attacks three days ago.

Beaumont’s honeypots started crashing on October 23, but he only realized that the crashes were caused by BlueKeep exploitation attempts on November 2. After Beaumont reported seeing attacks, Microsoft admitted that it had started noticing an increase in RDP-related crashes right after the Metasploit module was released in September.

Microsoft has once again advised customers to install the patches and warned that the exploit will likely also be used to deliver more “impactful and damaging” payloads.

While Microsoft and many others were concerned that the BlueKeep vulnerability would be used to create a worm, similar to how the EternalBlue exploit was used by the WannaCry ransomware back in 2017, the recent attacks did not involve a self-propagation component.

However, Marcus Hutchins, aka MalwareTech, the British researcher who helped Microsoft and Beaumont analyze the BlueKeep attacks, pointed out that attackers do not need to create a worm to launch profitable attacks and users should not ignore the threat just because a worm has not been created.

“Most BlueKeep vulnerable devices are servers. Generally speaking, Windows servers have the ability to control devices on the network. Either they’re domain admin, have network management tools installed, or share the same local admin credentials with the rest of the network,” Hutchins explained.

“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network),” the researcher added.

“The real risk with BlueKeep is not a worm. A worm is pointless and noisy. Once an attacker is on the network, they can do far more damage with standard automated tools than they could ever do with BlueKeep,” Hutchins said.

There are still roughly 700,000 systems that appear to be vulnerable to BlueKeep attacks and the fact that malicious actors have started exploiting the flaw in the wild does not appear to have had any positive impact on patching efforts. The SANS Institute’s Internet Storm Center reported that the media coverage of the recent attacks does not appear to have influenced the rate at which users patch their devices.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.