Windows 'BlueKeep' Attack #Windows_Attack
Windows ‘BlueKeep’ Attack That U.S. Government Warned About Is Happening Right Now
When Microsoft issued the first patch in years for Windows XP in May 2019, you knew that something big was brewing. That something was a wormable Windows vulnerability that security experts warned could have a similar impact to the WannaCry worm from 2017. The BlueKeep vulnerability exists in unpatched versions of Windows Server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2: and it’s now been confirmed that a BlueKeep exploit attack is currently ongoing.
A little bit of BlueKeep history
BlueKeep, a vulnerability found in older versions of Microsoft Corp.’s Remote Desktop Protocol, has been spotted for the first time being used in the wild as part of a new hacking campaign.
The campaign was detected via Honeypots, a decoy computer system for detecting hacking campaigns set up to detect a BlueKeep attack by security researcher Kevin Beaumont.
BlueKeep, discovered in May, involves a flaw in Microsoft RDP that allows unauthorized access to computers running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. Later versions of Windows, 8 and 10 alike, are not affected.
Microsoft took the rare action of issuing updates for the older, unsupported systems May 14 because of the severity the vulnerability presented to servers and other computers still running older Windows versions. The vulnerability is considered so severe that the U.S. National Security Agency issued a cybersecurity advisory on BlueKeep in June.
As of July, about 800,000 systems were believed to remain vulnerable to BlueKeep, with the number having dropped 17% since Microsoft issued the patch in May. It’s likely that a good 500,000 systems, possibly more, could remain exposed to BlueKeep today.
Microsoft twice warned users to update vulnerable Windows systems, first on May 14, and then again with even more urgency on May 30. Those warnings appeared to go unheeded in enough numbers to warrant an escalation on the update alerts. On June 4, the National Security Agency (NSA) took the unusual step of publishing an advisory urging Microsoft Windows administrators to update their operating system or risk a "devastating" and "wide-ranging impact" in the face of a growing threat. This warning was given even more gravitas on June 17 when the U.S. Government, via the Cybersecurity and Infrastructure Security Agency (CISA), issued an "update now" activity alert. At much the same time, security researchers were predicting that a "devastating" BlueKeep exploit was only weeks away.
The Windows BlueKeep exploit attack
Hutchins told Wired that "BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale."
It would appear that rather than a wormable threat, where the BlueKeep exploit could spread itself from one machine to another, the attackers are searching for vulnerable unpatched Windows systems that have Remote Desktop Services (RDP) 3389 ports exposed to the internet. This dampens the panic that there could be another WannaCry about to happen, although the potential for such a scenario, albeit on a much smaller scale, certainly remains. For now though, this looks like being an attack campaign with a cryptocurrency miner payload.
Security researchers, including Kevin Beaumont who originally named the vulnerability and Marcus Hutchins (also known as MalwareTech) who was responsible for hitting the kill switch that stopped the WannaCry attack, have confirmed that a widespread BlueKeep exploit attack is now currently underway.
BlueKeep exploit attack mitigation
Seriously folks, if you are using one of the vulnerable versions of Windows, then what more is it going to take to get you to apply the update that fixes the BlueKeep vulnerability? I'd have thought that a wormable exploit, even if it hasn't been "wormed" on this occasion, that vampires your system resources or crashed your machine was warning enough. But, hey, what do I know?
While there is always the possibility that the threat actors behind this attack could drop more malicious payloads than a crypto-miner, for now, this acts as yet another warning for users of the 700,000 or so still vulnerable Windows systems to get patching. Cryptocurrency miners are resource hogs at best, and a roadmap that further malware installations could follow. In the case of this attack, though, there's another problem to be aware of: the exploit code isn't all that. It would appear that the attackers are using the demo exploit code released by the Metasploit team at Rapid7 in September 2019, but without enough coding skills to get this to work without it causing a Blue Screen of Death (BSOD) error.