MICROSOFT IS URGING users to patch out-of-date Windows systems as a matter of urgency attacks after noticing a spike in BlueKeep exploit attempts.
"Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines," Microsoft Defender ATP Research Team said in a blog post.
According to researchers, the BlueKeep attacks reported earlier this month by security researcher Kevin Beaumont were connected with a coin mining campaign that was first noticed in September and used the same command-and-control servers to carry out attacks on vulnerable systems.
In an post published on 3 November, Beaumont reported that a "worldwide honeypot network" that he created to detect the development of BlueKeep exploits had experienced crashes.
Beaumont said that the first crash occurred on 23 October, and then all remaining honeypots (except in Australia) also crashed.
Another security researcher, Marcus Hutchins (also known as MalwareTech) also confirmed that BlueKeep exploit attacks were currently undergoing.
Microsoft security researchers collaborated with Beaumont and Hutchins to investigate the crashes and found that they were caused by a BlueKeep exploit module.
Microsoft said it had deployed a behavioural detection system for the BlueKeep Metasploit module in early September. The company noticed that starting on 6 September, RDP service crashes increased from 10 to 100 per day. A similar spike in memory corruption crashes was also noticed, starting on 9 October.
BlueKeep is a wormable, remote code execution vulnerability affecting Windows XP, Windows 7, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows Server 2008 R2. Indexed as CVE-2019-0708, this vulnerability is pre-authentication, meaning it requires no user interaction.
Since it is wormable, it can make any malware exploiting the vulnerability to be able to spread from one vulnerable system to another, without requiring user interaction.
The risk associated with BlueKeep forced Microsoft to release a patch for Windows XP on 14 May, its first in many years. Still, almost one million Windows systems were still vulnerable to BlueKeep as of May 2019.
The attacks that were launched earlier this month did not deploy any wormable malware. Instead, the threat actors scanned the web for vulnerable machines and attacked unpatched system, one at a time. They first deployed a BlueKeep exploit and then the cryptocurrency miner.
According to Microsoft, this is just the beginning, and the worst is yet to come.
The attackers will eventually refine their attacks, and will use the BlueKeep exploit to deliver payloads much more damaging than coin miners, the researchers warned.
BlueKeep will continue to be a threat "as long as systems remain unpatched" and "overall security posture is not kept in check," according to Microsoft.
"Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised." µ
AI want to break free
Not making friends, but influencing people
But eager game streaming beavers will have to wait until 2020
No sex please, we're priggish