The notorious Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and BlueKeep has been exploited in the wild to deliver cryptocurrency mining malware, researchers warned over the weekend.
BlueKeep, which Microsoft addressed in May, allows an unauthenticated attacker to execute arbitrary code by sending specially crafted Remote Desktop Protocol (RDP) requests. Microsoft warned that the vulnerability is wormable and it can allow a piece of malware to spread similar to how the EternalBlue exploit was used by the WannaCry ransomware back in 2017.
Microsoft has urged users on several occasions to install the patch, and government agencies have also issued alerts. The patch has been made available for unsupported versions of Windows, including XP, but over 700,000 systems are still said to be vulnerable to attacks.
Microsoft and the cybersecurity community have been expecting to see attacks in the wild since the first proof-of-concept (PoC) exploits emerged. While BlueKeep may have been exploited for a long time in targeted attacks that have not been detected or made public, a researcher reported over the weekend that he has seen the first mass exploitation attempts.
Researcher Kevin Beaumont — the expert is the one who named the vulnerability BlueKeep — has been running a worldwide honeypot network, named BluePot, in an effort to catch exploitation attempts.
Attacks appear to have begun on October 23, when Beaumont’s honeypots started crashing and rebooting, but he only realized that it was due to BlueKeep exploitation attempts on November 2.
Beaumont has analyzed the attacks with help from British researcher Marcus Hutchins (aka MalwareTech) and they determined that the individuals behind this campaign have been using a BlueKeep Metasploit module released in early September.
The experts determined that the attackers have been exploiting BlueKeep to deliver a Monero miner. The malware sample analyzed by the researchers is currently detected by 31 antivirus engines on VirusTotal.
The hackers do not appear to have attempted to create a worm that spreads inside a network.
“In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame — coin miners aren’t exactly a big threat — however it is clear people now understand how to execute attacks on random targets, and they are starting to do it. This activity doesn’t cause me to worry, but it does cause my spider sense to say ‘this will get worse, later’,” Beaumont wrote in a blog post.
However, Beamont reported on Twitter a few hours ago that all BlueKeep activity that he could see has stopped.
Hutchins has published a separate, more technical blog post on the matter.
“It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized,” Hutchins noted. “One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.”
The researcher added, “Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”