A new cyberattack that uses the infamous BlueKeep RDP vulnerability was found to be exploited in the wild to mass compromise vulnerable systems for cryptocurrency mining.
Microsoft released a patch for a highly-critical remote code execution flaw named as BlueKeep, in its Windows Remote Desktop Services which could be exploited remotely to take total control over vulnerable systems just by sending specially crafted requests over RDP.
BlueKeep tracked as CVE-2019-0708, is a wormable vulnerability as it can be weaponized by potential malware to propagate itself from one vulnerable computer to another automatically without the need of any interaction from the victim.
BlueKeep is a serious threat and so Microsoft and even government agencies had encouraged Windows users and admins to apply security patches before getting attacked.
Several security firms and individual cybersecurity researchers who successfully developed a fully working exploit for BlueKeep decided not to publish it to the public as there are more than 1 million systems found to be vulnerable even after releasing the patches.
This made the amateur hackers take almost six months to come up with a BlueKeep exploit which is still unreliable and doesn’t even have a wormable component.
BlueKeep Exploit Spreads Cryptocurrency Malware
The BlueKeep exploitation was first guessed by Kevin Beaumont when his multiple EternalPot RDP honeypot systems got crashed and rebooted all of a sudden.
Marcus Hutchins, the researcher who helped stop the WannaCry ransomware outbreak in 2017, analysed the crash dumps shared by Beaumont and confirmed “BlueKeep artifacts in memory and shellcode to drop a Monero Miner.”
Hutchins stated in his blog post that the segment in crash dumps points to executable shellcode. The exploit contains encoded PowerShell commands as the initial payload, which then eventually downloads the final malicious executable binary from a remote attacker-controlled server and executes it on the targeted systems.
According to Google’s VirusTotal malware scanning service, the malicious binary is cryptocurrency malware that mines Monero (XMR) using the computing power of infected systems to generate cash.
Hutchins also confirmed that the malware spread by this BlueKeep exploit is not a malware and that it does not spread itself from one system to another.
It is found that the attackers are first scanning the Internet to find vulnerable systems and then exploiting them.
It is important to note that the flaw has not yet been exploited at a larger scale, like WannaCry or NotPetya wormable attacks.
But it is not clear how many BlueKeep vulnerable Windows systems have been compromised in the latest cyberattacks to deploy the Monero miner in the wild.
All the users are advised to fix the vulnerability if you are still using BlueKeep vulnerable Windows systems.
If in organizations, it is not possible to fix the vulnerability anytime sooner, then follow these mitigations:
- Disable RDP services, if not required.
- Block port 3389 using a firewall or make it accessible only over a private VPN.
- Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.