After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign

Graham Cluley
Graham Cluley
@[email protected]

Security researchers have confirmed that hackers are breaking into unpatched Windows computers using the BlueKeep vulnerability to install money-making cryptocurrency-mining code code.

British researcher Kevin Beaumont raised the alarm this weekend, after discovering that BlueKeep honeypots he had set up (to act as an early alarm that the vulnerability was being exploited) began to crash and reboot themselves.

I built a worldwide honeypot network to spot exploitation, which I called BluePot.

Since then it has been remarkably quiet. I’ve been keeping in contact with people at threat intelligence and anti-malware companies and, essentially, the protection built has been eerily quiet. That isn’t to say exploitation hasn’t happened — of course, advanced threat actors would absolutely look to leverage this — but there’s been a complete lack of data to suggest any kind of widespread exploitation.

Sign up to our free newsletter.
Security news, advice, and tips.

That changed on October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity.

Beaumont shared details of what had happened to his honeypots with Marcus Hutchins of Kryptos Logic, who determined that the attacks were using demo BlueKeep exploit code in an attempt to install a cryptominer onto unpatched Windows computers.

The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code.

News first broke of the BlueKeep vulnerability earlier this year, when Microsoft took the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action.

At the time, it was reported that almost one million vulnerable PCs were connected to the internet, and potentially open to exploitation.

The threat was considered serious enough that the likes of the NSA urged administrators and users to patch vulnerable computers.

The NCSC, part of UK’s GCHQ, had privately reported the vulnerability to Microsoft in the first place, warned that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible, fearing a re-run of the WannaCry ransomware outbreak.

It’s clear that things could be a lot worse with the current attack – so far the BlueKeep vulnerability is not being exploited to spread a worm like WannaCry, which caused particular problems for the UK’s National Health Service. But the fact that many computers are likely to still be unprotected against the flaw is a real cause for concern.

Make sure your computers, including your old legacy computers, are up-to-date with security patches.

For further discussion on the BlueKeep vulnerability be sure to check out this episode of the “Smashing Security” podcast that we recorded earlier this year:

Smashing Security #131: 'Zap yourself from the net, and patch now against BlueKeep'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign”

  1. Gabriel

    Is it just me or do others when they see GCHQ automatically think Graham Cluley Headquarters, especially when reading his blog?

    1. coyote · in reply to Gabriel

      I don't think of one or the other – I think of both at the same time. That is here. Other places I think of the political (yes it is even if more than that) body.

  2. faithgrecia

    It would be good if a threat model is developed for identifying ransomware.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.