Attackers are finally using the so-called BlueKeep flaw in pre-Windows 10 machines. For now, the attackers are only delivering a cryptocurrency miner, but the payload could soon be ransomware.
BlueKeep is one of the rare bugs that prompted Microsoft and intelligence agencies around the world to issue extra security alerts over because it is ‘wormable’ and can be used to rapidly and automatically spread across networks.
Microsoft in May even offered a patch for unsupported Windows XP because it was concerned it could have the same impact as the 2017 WannaCry ransomeware outbreak that Western governments attributed to North Korean hackers.
UK researcher Marcus Hutchins single-handedly stopped WannaCry from spreading after discovering a ‘kill switch’ for its propagation methods.
For security experts, it wasn't a question of if but when cybercriminals or state-sponsored hackers exploited BlueKeep. Exploits had been shared privately between security researchers since Microsoft’s May patch, but it wasn’t known to have been exploited in the wild until now.
The Australian Signals Directorate in August warned admins to patch the bug immediately because the Metasploit security project had signaled it would release an exploit for the flaw imminently.
The project released the exploit in September, which assisted defenders to detect BlueKeep attacks but also gave attackers the tools to exploit the bug on unpatched systems.
UK security researcher Kevin Beaumont -- @GossiTheDog on Twitter -- called the bug BlueKeep because it was as secure as Red Keep in Game of Thrones and it often triggered a Blue Screen of Death (BSOD) failure on Windows systems.
Using the Microsoft Azure Sentinel SIEM cloud service, Beaumont set up a cheap honeypot, aptly named BluePot, to monitor for exploitation of BlueKeep and on Friday reported the machines in the honeypot were experiencing BSOD events.
“Every region except Australia has BSOD multiple times,” he wrote, referring to attacks that began on October 23 but then surged in the beginning of November.
Hutchins has also confirmed the exploitation of BlueKeep and said he was surprised it took this long to be used in the wild.
“It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized,” wrote Hutchins.
“One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.”
Beaumont said that since late October his virtual Windows machines in Azure were being hit repeatedly, multiple times a day.
“I’ve seen been through all the honeypots and all but one show signs of being compromised using BlueKeep exploits, normally several times a day. This has been going on for weeks now and shows no signs of stopping,” he wrote.
The only good news from the attacks so far is that the payload is just a coin miner that exploits CPU power to mine the Monero cryptocurrency. That can wear out hardware over time but, unlike ransomware, doesn't affect valuable information. But the payload could easily change in future.
“I would suggest organisations remove (shutdown) any unpatched endpoints that are directly available on the internet for Remote Desktop Protocol, until they are patched. You can use services like BinaryEdge.io and Shodan.io to find still exploitable systems in your internet accessible IP ranges,” wrote Beaumont.
“I would also say organisations should resolve patching all internal endpoints for BlueKeep/CVE-2019–0708 as soon as possible, as history has shown internet threats can migrate to internal networks when a worm is bolted on.”