After the discovery of BlueKeep (CVE-2019-0708), a vulnerability in the Remote Desktop Protocol, Microsoft, and even government agencies [NSA and GCHQ] warn Windows users and admins about its serious effects and encourage them to apply security patches.
Updating with the new patches is a must
BlueKeep (CVE-2019-0708) can affect the Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems. 5 months ago, Microsoft released a patch to mitigate the effects of BlueKeep vulnerability residing in Remote Desktop Services which could be exploited remotely by sending specially crafted requests over RDP protocol to a targeted system.
BlueKeep exploit spreads cryptocurrency malware
On Saturday Security Researcher Kevin Beaumont claimed the BlueKeep exploitation first after his multiple EternalPot RDP honeypot systems crashed and rebooted, by posting a tweet.
After him, researcher Marcus Hutchins analyzed the details of BlueKeep (CVE 2019-0708) exploitation and shared it on his blog yesterday. He confirmed in his blog post “BlueKeep artifacts in memory and shellcode to drop a Monero Miner.”
“Kevin kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt. Due to only smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause,” Hutchins wrote.
“Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios. Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”