Back in May 2019, Microsoft revealed details about a severe hackable flaw that exists in the Remote Desktop Protocol (RDP) in Windows OS. The BlueKeep bug can enable an automated worm to spread malware and an estimated 1 million devices are vulnerable to this flaw.
It seemed like a matter of time before someone unleashed a global attack and as predicted, BlueKeep has finally struck. However, it isn’t as severe as feared.
The first instance of the BlueKeep exploit was spotted by security researcher Kevin Beaumont. He detected the BlueKeep attack via Honeypots — a decoy computer system for detecting hacking campaigns.
The initial attack came from a “low-level actor” who appeared to have scanned the internet and infected vulnerable systems with a cryptocurrency miner. So far, there have been no signs of data-stealing or wipeout, no automatic spreading or signs of ‘wormable’ action.
The same has been confirmed by other security researchers such as Jake Williams and Marcus Hutchins (also known as ‘MalwareTech’ on Twitter) who hit a kill switch that stopped WannaCry.
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr
— MalwareTech (@MalwareTechBlog) November 2, 2019
FWIW, re:#BlueKeep we're seeing a small uptick in 3389 related traffic at the @RenditionSec SOC, but not consistent with a worm. I would guess either:
1. It's not a worm
2. Enough machines have been patched or the exploit is too unreliable for a worm to reach critical mass
— Jake Williams (@MalwareJake) November 2, 2019
Even though the flaw hasn’t hit “critical mass” yet, that doesn’t rule out the possibility of a more serious BlueKeep attack. As of August 2019, about 735,000 computers were still vulnerable to the BlueKeep vulnerability, according to Errata Security.
Fortunately, the opportunity for launching a large scale attack using BlueKeep is closing. Microsoft has already fixed some BlueKeep-style bugs targeting every major OS from Windows 7 to Windows 10 and as more time passes, it is likely that more people would have patched their PCs against it.