When Microsoft revealed last May that millions of Windows devices have a serious flaw in a hacker known as BlueKeep – one that can allow an automated worm to spread malware from computer to computer – it seemed only a matter of time before anyone to unlock a global attack As predicted, the BlueKeep campaign has finally hit. But so far this is not enough of the worst case scenario.
Security researchers have noticed evidence that their so-called honey pots – bait machines designed to help detect and analyze malware epidemics – are being massively compromised by exploiting BlueKeep's vulnerability. The Microsoft Remote Desktop protocol error allows a hacker to get full remote code execution on unpacked machines; although previously used only in proof of concept, it has potentially devastating consequences. Another worm targeted at Windows machines in 201
But so far, BlueKeep's widespread hacking has simply installed a cryptocurrency miner, extracting the victim's processing capability to generate cryptocurrency. And instead of a worm jumping without help from one computer to another, it seems that these attackers have scanned the Internet for exploiting vulnerable machines. This makes this current wave unlikely to lead to an epidemic.
"BlueKeep has been there for a while. But this is the first time I've ever seen it used massively, "says Marcus Hutchins, a malware researcher at security firm Kryptos Logic, who was one of the first to build working proof of BlueKeep's vulnerability concept. "They are not looking for goals. They are scanning the internet and spraying exploits."
"Has not yet hit the critical mass."
Jake Williams, Infosec broadcast
Hutchins says he first learned about BlueKeep hacking from fellow security researcher Kevin Beaumont, who has been watching his gingerbread machines crash over the last few days. Because these devices only exposed port 3389 on the Internet port used by RDP – he was quick to suspect BlueKeep. Beaumont then shared forensic data from these crashed machines with Hutchins, who confirmed that BlueKeep was the cause and that the hackers intended to install a cryptocurrency miner on the victims' machines. Hutchins says he has not yet determined which coin they are trying to dig and notes that the fact that the purpose of the machines is failing indicates that the operation may be unreliable. The malware authors appear to be using a version of the BlueKeep hacking technique included in the open source framework for testing Metasploit and hacking, says Hutchins, which was made public in September.
It is also unclear how many devices were affected, i.e. although the current BlueKeep epidemic seems far from the RDP pandemic many feared. "I've seen a spike, but not the level I would expect from a worm," says Jake Williams, founder of security firm Rendition Infosec, which monitors its customers' networks for signs of exploitation. "No Critical Mass Has Been Affected So Far."
In fact, Williams argued, the lack of a heavier wave of BlueKeep hacking could actually show Microsoft's success story about the BlueKeep error – an unexpected happy ending, "Everyone a month that goes by without a worm happen, more people get glued and the vulnerable population shrinks, "Williams says. "Since the Metasploit module has been gone for several months, no one seems to have broken it, this shows that a cost-benefit analysis has been done and there is no huge benefit to arming it."
But the BlueKeep threat represents hundreds of thousands of Windows machines are still gone. About 735,000 Windows computers remained vulnerable to BlueKeep, according to an Internet scan done by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be affected by a more serious and more virulent copy of malware that exploits Microsoft's long-term RDP vulnerability. This could take the form of a worm used in the NotPetya or WannaCry model, which infected nearly a quarter of a million computers when it spread in May 2017, causing damage between $ 4 billion and $ 8 billion in damage