UPDATED 20:49 EST / NOVEMBER 03 2019

SECURITY

Attack targeting Microsoft RDP ‘BlueKeep’ vulnerability spotted in the wild

BlueKeep, a vulnerability found in older versions of Microsoft Corp.’s Remote Desktop Protocol, has been spotted for the first time being used in the wild as part of a new hacking campaign.

The campaign was detected via Honeypots, a decoy computer system for detecting hacking campaigns set up to detect a BlueKeep attack by security researcher Kevin Beaumont.

BlueKeep, discovered in May, involves a flaw in Microsoft RDP that allows unauthorized access to computers running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. Later versions of Windows, 8 and 10 alike, are not affected.

Microsoft took the rare action of issuing updates for the older, unsupported systems May 14 because of the severity the vulnerability presented to servers and other computers still running older Windows versions. The vulnerability is considered so severe that the U.S. National Security Agency issued a cybersecurity advisory on BlueKeep in June.

As of July, about 800,000 systems were believed to remain vulnerable to BlueKeep, with the number having dropped 17% since Microsoft issued the patch in May. It’s likely that a good 500,000 systems, possibly more, could remain exposed to BlueKeep today.

Although the emergence of hackers using BlueKeep to target vulnerable systems is concerning, the attack isn’t as bad as it could have been. Instead of deploying a worm to target systems, a self-propagating method, those behind the attack are searching for unpatched Windows systems with the RDP ports exposed for specific targeting.

The attackers are also not trying to compromise data on vulnerable systems seriously either but are instead installing cryptomining software.

One risk is that having gained access to unpatched systems, the hackers could easily install other, more malicious software. The other risk, now that BlueKeep has been used in the wild, is that others may seek to take the code used as a base for more involved campaigns, including deploying it as a self-propagating worm. The risk of BlueKeep being used in a worm is a repeat of attacks like WannaCry.

“Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from unpatched system to unpatched system,” ZDNet reported.

Speaking to SiliconANGLE theCUBE in August, Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs, warned that a worm using BlueKeep could open the door to a larger attack. Giandomenico noted that malicious code installed on vulnerable servers could then spread to millions of internet-connected devices without needing a username or password.

The advice, as always, is to make sure servers are up to date with security patches. In this case, anyone using older versions of Windows should, if they haven’t already, install the BlueKeep patch.

Photo: U.S. Air Force

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU