Security researchers have confirmed that hackers are breaking into unpatched Windows computers using the BlueKeep vulnerability to install money-making cryptocurrency-mining code code.
British researcher Kevin Beaumont raised the alarm this weekend, after discovering that BlueKeep honeypots he had set up (to act as an early alarm that the vulnerability was being exploited) began to crash and reboot themselves.
I built a worldwide honeypot network to spot exploitation, which I called BluePot.
Since then it has been remarkably quiet. I’ve been keeping in contact with people at threat intelligence and anti-malware companies and, essentially, the protection built has been eerily quiet. That isn’t to say exploitation hasn’t happened — of course, advanced threat actors would absolutely look to leverage this — but there’s been a complete lack of data to suggest any kind of widespread exploitation.
That changed on October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity.
Beaumont shared details of what had happened to his honeypots with Marcus Hutchins of Kryptos Logic, who determined that the attacks were using demo BlueKeep exploit code in an attempt to install a cryptominer onto unpatched Windows computers.
The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code.
News first broke of the BlueKeep vulnerability earlier this year, when Microsoft took the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action.
At the time, it was reported that almost one million vulnerable PCs were connected to the internet, and potentially open to exploitation.
The threat was considered serious enough that the likes of the NSA urged administrators and users to patch vulnerable computers.
The NCSC, part of UK’s GCHQ, had privately reported the vulnerability to Microsoft in the first place, warned that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible, fearing a re-run of the WannaCry ransomware outbreak.
It’s clear that things could be a lot worse with the current attack – so far the BlueKeep vulnerability is not being exploited to spread a worm like WannaCry, which caused particular problems for the UK’s National Health Service. But the fact that many computers are likely to still be unprotected against the flaw is a real cause for concern.
Make sure your computers, including your old legacy computers, are up-to-date with security patches.
For further discussion on the BlueKeep vulnerability be sure to check out this episode of the “Smashing Security” podcast that we recorded earlier this year:
Smashing Security #131: 'Zap yourself from the net, and patch now against BlueKeep'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign”
Is it just me or do others when they see GCHQ automatically think Graham Cluley Headquarters, especially when reading his blog?
I don't think of one or the other – I think of both at the same time. That is here. Other places I think of the political (yes it is even if more than that) body.
It would be good if a threat model is developed for identifying ransomware.