The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes.
The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP).
Attacks are not wormable
Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots in his EternalPot RDP honeypot network started to crash and reboot. They’ve been active for almost half a year and this is the first time they came down. For some reason, the machines in Australia did not crash, the researcher noted in a tweet.
First details about BlueKeep being the cause of these events came from MalwareTech, who investigated the crash dumps from Beaumont’s machines. He said that he “found BlueKeep artifacts in memory and shellcode to drop a Monero Miner.”
According to early analysis from MalwareTech, an initial payload runs an encoded PowerShell command that downloads a second PowerShell script, also encoded. The researcher says that the final payload is a cryptocurrency miner, likely for Monero, currently detected by 25 out of 68 antivirus engines on the VirtusTotal scanning platform.
Talking to BleepingComputer, the researcher said that the malware may not be a worm but it is mass-exploiting the BlueKeep bug. This indicates that the cybercriminals are using a BlueKeep scanner to find vulnerable systems exposed on the web and drop the cryptocurrency miner on them.
In an update, MalwareTech says that analysis of the network traffic does not indicate self-propagation, meaning that the server doing the exploitation gets the target IP addresses from a predefined list.
Update: according to netflow it doesn’t appear to be self propagating, I assume a list of vulnerable IPs are being fed to a server which performs the exploitation.8910:28 PM – Nov 2, 2019Twitter Ads info and privacy23 people are talking about this
It is likely that whoever is behind these attacks is using public resources and did not develop a reliable, wormable threat, as proved by Beaumont’s honeypot crashes.
A combination of cryptocurrency miner and a BlueKeep scanner was reported in July in a piece of malware called Watchbog, which typically focused on vulnerable Linux servers.
At the time, cybersecurity company Intezer said that integrating the scanner module for the RDP vulnerability alongside the Linux exploits “suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit.”
MalwareTech told us that the indicators of compromise Intezer provided for Watchbog do not seem to match the malware currently hitting machines vulnerable to BlueKeep.
These assaults generated over 26 million events on Beaumont’s honeypot infrastructure, which makes determining the indicators of compromise a more time consuming task. However, the researcher promised to sort through them for the relevant sequence and provide the data.
Brief BlueKeep history
BlueKeep (CVE-2019-0708) is a serious vulnerability that can allow malware to spread across connected systems without user intervention. Microsoft patched it on May 14, followed by a barrage of alerts about its severity from governments and security companies, some reiterating their concern.
Exploiting this RDP flaw for remote code execution (RCE) is not easy and the most common result of this endeavor is a crash of the target system. Security researchers that created a working exploit kept the details private to delay attackers creating their version and compromise still unpatched systems.
Two private exploit modules were developed in June and July, for Metasploit and CANVAS penetration testing tools. Both were hard to get as the former was private and the latter was delivered to subscribers that paid at least $32,480.
At the enterprise level, the worldwide update rate was 83% in June. However, this statistic did not count consumer machines. This suggests that the cybercriminals are likely hitting consumer computers.
The vulnerability does not affect all versions of Windows operating system. Microsoft’s advisory lists Windows 7, Windows Server 2008 R2, and Windows Server 2008
By Ionut Ilascu