Security researchers have spotted the first mass-hacking campaign exploiting the BlueKeep exploit, the attack aims at installing a
In May, Microsoft warned users to update their systems to address the remote code execution vulnerability dubbed BlueKeep, A few days later, the National Security Agency (NSA) also urged Windows users and administrators to install security updates to address
In June the
The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.
As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.
Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into
According to the experts, this is the first attempt to exploit the BlueKeep RDP vulnerability in mass-hacking attacks.
Over the last months, many security experts have developed their own exploit code for this issue without publicly disclosing it for obvious reasons.
Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.
Security experts warned it was a matter of time before threat actors will start exploiting it in the wild and now it is happening. The researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.
The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.
After the disclosure of the flaw, the popular expert Robert Graham scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the
Yesterday, the popular expert Kevin Beaumont observed some of its EternalPot RDP
The popular expert Marcus Hutchins analyzed data shared by Beaumont and confirmed that attacks the
“Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt. Due to only smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause.” reads a blog post published by Hutchins.
“Finally, we confirm this segment points to executable shellcode. At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module!”
The exploit code
Hutchins pointed out that the malicious code involved in the massive attack
Currently there is no news about the extent of this attack, it’s unclear how many Windows systems have been compromised with the Monero miner.
“Although this alleged activity is
(SecurityAffairs – hacking, BlueKeep)