BlueKeep, a vulnerability found in older versions of Microsoft Corp.’s Remote Desktop Protocol, has been spotted for the first time being used in the wild as part of a new hacking campaign.

The campaign was detected via Honeypots, a decoy computer system for detecting hacking campaigns set up to detect a BlueKeep attack by security researcher Kevin Beaumont.

BlueKeep, discovered in May, involves a flaw in Microsoft RDP that allows unauthorized access to computers running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. Later versions of Windows, 8 and 10 alike, are not affected.

Microsoft took the rare action of issuing updates for the older, unsupported systems May 14 because of the severity the vulnerability presented to servers and other computers still running older Windows versions. The vulnerability is considered so severe that the U.S. National Security Agency issued a cybersecurity advisory on BlueKeep in June.

As of July, about 800,000 systems were believed to remain vulnerable to BlueKeep, with the number having dropped 17% since Microsoft issued the patch in May. It’s likely that a good 500,000 systems, possibly more, could remain exposed to BlueKeep today.

Although the emergence of hackers using BlueKeep to target vulnerable systems is concerning, the attack isn’t as bad as it could have been. Instead of deploying a worm to target systems, a self-propagating method, those behind the attack are searching for unpatched Windows systems with the RDP ports exposed for specific targeting.

Update: according to netflow it doesn't appear to be self propagating, I assume a list of vulnerable IPs are being fed to a server which performs the exploitation.

— MalwareTech (@MalwareTechBlog) November 3, 2019

The attackers are also not trying to compromise data on vulnerable systems seriously either but are instead installing cryptomining software.

One risk is that having gained access to unpatched systems, the hackers could easily install other, more malicious software. The other risk, now that BlueKeep has been used in the wild, is that others may seek to take the code used as a base for more involved campaigns, including deploying it as a self-propagating worm. The risk of BlueKeep being used in a worm is a repeat of attacks like WannaCry.

“Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from unpatched system to unpatched system,” ZDNet reported.

Speaking to SiliconANGLE theCUBE in August, Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs, warned that a worm using BlueKeep could open the door to a larger attack. Giandomenico noted that malicious code installed on vulnerable servers could then spread to millions of internet-connected devices without needing a username or password.

The advice, as always, is to make sure servers are up to date with security patches. In this case, anyone using older versions of Windows should, if they haven’t already, install the BlueKeep patch.

Photo: U.S. Air Force