After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign

Graham Cluley

Bluekeep

Bluekeep
Security researchers have confirmed that hackers are breaking into unpatched Windows computers using the BlueKeep vulnerability to install money-making cryptocurrency-mining code code.

British researcher Kevin Beaumont raised the alarm this weekend, after discovering that BlueKeep honeypots he had set up (to act as an early alarm that the vulnerability was being exploited) began to crash and reboot themselves.

I built a worldwide honeypot network to spot exploitation, which I called BluePot.

Since then it has been remarkably quiet. I’ve been keeping in contact with people at threat intelligence and anti-malware companies and, essentially, the protection built has been eerily quiet. That isn’t to say exploitation hasn’t happened — of course, advanced threat actors would absolutely look to leverage this — but there’s been a complete lack of data to suggest any kind of widespread exploitation.

That changed on October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity.

Beaumont shared details of what had happened to his honeypots with Marcus Hutchins of Kryptos Logic, who determined that the attacks were using demo BlueKeep exploit code in an attempt to install a cryptominer onto unpatched Windows computers.

The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code.

News first broke of the BlueKeep vulnerability earlier this year, when Microsoft took the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action.

At the time, it was reported that almost one million vulnerable PCs were connected to the internet, and potentially open to exploitation.

The threat was considered serious enough that the likes of the NSA urged administrators and users to patch vulnerable computers.

The NCSC, part of UK’s GCHQ, had privately reported the vulnerability to Microsoft in the first place, warned that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible, fearing a re-run of the WannaCry ransomware outbreak.

It’s clear that things could be a lot worse with the current attack – so far the BlueKeep vulnerability is not being exploited to spread a worm like WannaCry, which caused particular problems for the UK’s National Health Service. But the fact that many computers are likely to still be unprotected against the flaw is a real cause for concern.

Make sure your computers, including your old legacy computers, are up-to-date with security patches.

For further discussion on the BlueKeep vulnerability be sure to check out this episode of the “Smashing Security” podcast that we recorded earlier this year:

Smashing Security #131: 'Zap yourself from the net, and patch now against BlueKeep'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign”

  1. Is it just me or do others when they see GCHQ automatically think Graham Cluley Headquarters, especially when reading his blog?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.