We return after months of silence to talk about BlueKeep, the vulnerability (CVE-2019-0708) already resolved by Microsoft with the release of some patches in May, as the researchers found the first campaign put in place with the aim of exploiting the exploit with malicious purposes. The action aims to install a cryptominer on the PCs of the victims.
BlueKeep and the cryptominer for Windows
It is a software that generates by exploiting the resources of the system cryptocurrency (Bitcoin or other) to be allocated to the managers' portfolios. The practice went on a large scale for about a couple of weeks (starting October 23), before being identified and made known by security expert Kevin Beaumont, the same one who had revealed the problem in the spring by giving him the nickname BlueKeep and making it known to the Redmond group.
huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr
– Kevin Beaumont (@GossiTheDog) November 2, 2019
Fortunately the attack does not have the proportions feared by Microsoft which compared the potential of the vulnerability to that of EternalBlue, exploit emerged in 2017 allowing the spread of WannaCry, NotPetya and Bad Rabbit ransomware on a global scale. At the moment the code is not structured so as to spread virally from one system to another.
However, the attack put in place does not seem able to achieve the desired outcome: it is based on demo of the exploit made available by the team Metasploit in September, but it is not perfected to the point of reaching its goal without crashing. Things could in any case change in the future, should someone prove themselves able to exploit the flaw more effectively.
The operating systems involved are Windows 7, Windows Server 2008 R2 and Windows Server 2008. To date there still seem to be around 750,000 computers connected to the Internet and exposed to risk. As written at the beginning, the corrective patches have already been released by Microsoft in the month of May.