First mass BlueKeep ‘corruption’ spotted in the wild

“First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild. Experts have the first mass-hacking attack utilize the BlueKeep exploit, to install a cryptocurrency miner. Security researchers have mottled the first mass-hacking campaign utilizing the BlueKeep exploit, the attack aims to install a cryptocurrency miner on the taint systems.

In May, MS warned users to update their systems to address the remote code execution exposure dubbed BlueKeep, the National Security Agency (NSA) also urged Windows users and administrators to install security updates to address BlueKeep flaw. In June the information security and Infrastructure Security Agency (CISA) of U.S. DHS also issued an alert for the same issue.

The vulnerability, follow as CVE-2019-0708, crash the Windows Remote Desktop Services (RDS) and was tag by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a duplicate flaw that can be utilized by malware authors to create a bitter code with WannaCry capabilities.

As explained by Microsoft, this exposure could be utilized by malware with wormable capabilities, it could be utilized without user interaction, making it possible for malware to spread in and difficult way into the target networks. Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team in September to hack into unpatched Windows systems and install a cryptocurrency miner.

The experts, this is the first try to use the BlueKeep exposure in mass-hacking attacks. The last months, many security experts have developed their own exploit code without publicly impart it for clear reasons. MS has launched patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can stop inaccurate attacks by authorizing Network Level Authentication (NLA), and the threat can also be reduced by blocking TCP port 3389.

Security experts warned it was a matter of time before threat actors will start exploiting it in the wild and now it is happening. The researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw. The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

After the use of the flaw, the popular expert Robert Graham scanned the Internet for at-risk systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of reps can, the popular expert Kevin Beaumont observed some of its EternalPot RDP honeypots busted after being attacked.

The popular expert Marcus Hutchins scan data shared by Beaumont and confirmed that attacks the sweetener systems were hit by attackers ascendancy the BlueKeep exploits to deliver a Monero Miner.


“Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass utilizing attempt. Due to smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause.

“Finally, we confirm these points to impervious shellcode. At this point, we can declare valid BlueKeep utilize attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep Metasploit module!”

The code includes a sequence of encoded PowerShell commands that compose the attack chain, the last burden is an executable binary, a Monero Miner, downloaded from a remote server and executed on the targeted systems. Hutchins pointed out that the malicious code involved in the massive attack doesn’t apply self-spreading capabilities.

Currently, there is no news about the extent of this attack, it’s unclear how many Windows systems have been compromised with the attack.

“Although this so-called activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on data we are not seeing a spike in not-selective scanning on the at-risk port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack.” concludes the expert. “It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”

Related post: UniCredit Bank Discloses A-Data Violation That Impacted 3 Million Of Italian Clients, New PHP Flaw Could Let Attackers Take Over The Sites Running Nginx Server

Keep following us for more updates #TeamBugNResearch

Leave a Reply

Your email address will not be published. Required fields are marked *