UPDATED 20:49 EDT / NOVEMBER 03 2019

SECURITY

Attack targeting Microsoft RDP ‘BlueKeep’ vulnerability spotted in the wild

BlueKeep, a vulnerability found in older versions of Microsoft Corp.’s Remote Desktop Protocol, has been spotted for the first time being used in the wild as part of a new hacking campaign.

The campaign was detected via Honeypots, a decoy computer system for detecting hacking campaigns set up to detect a BlueKeep attack by security researcher Kevin Beaumont.

BlueKeep, discovered in May, involves a flaw in Microsoft RDP that allows unauthorized access to computers running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. Later versions of Windows, 8 and 10 alike, are not affected.

Microsoft took the rare action of issuing updates for the older, unsupported systems May 14 because of the severity the vulnerability presented to servers and other computers still running older Windows versions. The vulnerability is considered so severe that the U.S. National Security Agency issued a cybersecurity advisory on BlueKeep in June.

As of July, about 800,000 systems were believed to remain vulnerable to BlueKeep, with the number having dropped 17% since Microsoft issued the patch in May. It’s likely that a good 500,000 systems, possibly more, could remain exposed to BlueKeep today.

Although the emergence of hackers using BlueKeep to target vulnerable systems is concerning, the attack isn’t as bad as it could have been. Instead of deploying a worm to target systems, a self-propagating method, those behind the attack are searching for unpatched Windows systems with the RDP ports exposed for specific targeting.

The attackers are also not trying to compromise data on vulnerable systems seriously either but are instead installing cryptomining software.

One risk is that having gained access to unpatched systems, the hackers could easily install other, more malicious software. The other risk, now that BlueKeep has been used in the wild, is that others may seek to take the code used as a base for more involved campaigns, including deploying it as a self-propagating worm. The risk of BlueKeep being used in a worm is a repeat of attacks like WannaCry.

“Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from unpatched system to unpatched system,” ZDNet reported.

Speaking to SiliconANGLE theCUBE in August, Tony Giandomenico, senior security strategist and researcher at FortiGuard Labs, warned that a worm using BlueKeep could open the door to a larger attack. Giandomenico noted that malicious code installed on vulnerable servers could then spread to millions of internet-connected devices without needing a username or password.

The advice, as always, is to make sure servers are up to date with security patches. In this case, anyone using older versions of Windows should, if they haven’t already, install the BlueKeep patch.

Photo: U.S. Air Force

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.