BlueKeep Attacks Have Arrived, Are Initially Underwhelming

The first attacks that exploit the zero-day Windows vulnerability install cryptominers and scan for targets rather than a worm with WannaCry potential.

The wave of BlueKeep attacks that security experts predicted could take down systems globally have arrived, but they are not in showing the form nor the destructive impact experts initially feared.

Security researchers have seen evidence of the first wave of attacks on the zero-day Windows Remote Desktop vulnerability revealed by Microsoft in May. At the time experts said BlueKeep posed threat to millions of internet-connected systems, with the capability to spread an automated worm from computer to computer, including nearly 1 million endpoints connected to the Internet of Things (IoT).

So far, BlueKeep has not lived up to this promise, nor has the vulnerability surfaced in the form of a worm. Instead, initial attacks install a cryptocurrency miner on an infected system, using processing power to generate cryptocurrency, according to reports.

Moreover, instead of a worm that moves automatically and spreads quickly, attackers instead leveraged the vulnerability’s connective capability to scan the Internet for vulnerable machines to exploit, researchers said.

British cybersecurity expert Kevin Beaumont Tweeted about the first wave of attacks Sunday after noticed that a series of Remote Desktop Protocol (RDP) honeypots—or machines set up as malware bait to help researchers detect and analyze outbreaks—started simultaneously crashing.

Beaumont alerted Kryptos Logic security researcher Marcus Hutchins, who analyzed the “crash dump” and verified BlueKeep activity. “After some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner,” Hutchins, who assumes the username MalwareTech, Tweeted.

Hutchins is known as the researcher who finally found the way to kill the 2017 WannaCry ransomware outbreak, which infected more than 200,000 machines in 150 countries, caused billions of dollars in damages, and hamstrung global business. He later pleaded guilty to charges related to the creation of the Kronos malware.

Researchers first revealed BlueKeep and its potentially catastrophic power in May, after Microsoft patched it as part of its Patch Tuesday update that month. The vulnerability was identified as a critical remote code-execution flaw in Remote Desktop Services impacting older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008.

Microsoft issued a stern warning to users to patch vulnerable systems at the time, noting BlueKeep’s potential to wreak as much havoc as WannaCry.

Indeed, a number of proof-of-concept exploits followed the discovery of the vulnerability, one showing a doomsday scenario in which an attacker took complete control of someone’s machine in a mere 22 seconds.

Other exploits followed, including one developed by the Department of Homeland Security that took advantage of the vulnerability on a Windows 2000 machine—a version of the OS not included in Microsoft’s original alert.

Fortunately, the first attacks exploiting BlueKeep show none of the vulnerability’s destructive potential–but this doesn’t mean security administrators can rest easy just yet. This lackluster initial performance could represent more the unsophistication of the hackers than the nature of the vulnerability itself, observers noted.

“Feel sorry for the #bluekeep malware authors: Imagine if cryptomining was the best thing you could come up with,” a computer emergency response team (CERT) employee at a public finanical instution called James Attack Tweeted, along with a meme of celebrity musician Taylor Swift gesturing the letter “L” on her forehead for “loser.”

Indeed, as security researchers already have demonstrated BlueKeep’s potential, it’s only a matter of time before someone with bad intentions cracks the code and exploits the vulnerability to its full potential now that the attack floodgates are open.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles