Just months after the US National Security Agency (NSA) advised Microsoft Windows users to update their systems to mitigate the critical BlueKeep vulnerability (Microsoft Windows RDP CVE 2019-0708), reports suggest that the bug is already being exploited in the wild by hackers to carry out ‘devastating’ attacks that are rendering computer networks in several countries virtually unusable.
Believed to have been first reported by cyber-security researcher, Kevin Beaumont, the BlueKeep campaign is apparently being carried out at least over the past two weeks. Beaumont’s discovery was confirmed by Marcus Hutchins, the British security researcher known for temporarily stopping the WannaCry ransomware outbreak in 2017 and who now, works for cyber-security firm, Kryptos Logic.
huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr
— Kevin Beaumont (@GossiTheDog) November 2, 2019
According to Hutchins, the shellcode of the BlueKeep exploit attempts in the wild matches with that of the shellcode in the proof-of-concept BlueKeep module released by the Metasploit pen-testing team earlier this year. While other security researchers had deleted the all-important exploit code before releasing their demo modules, Metasploit’s version was advanced enough for remote code execution, which is why it is now being exploited by criminals.
In case you don’t know it already, BlueKeep is a vulnerability in the Remote Desktop Protocol (RDP) service in older versions of the Windows operating system (Windows XP, Windows 2003, Windows 7, Windows Server 2008 and Windows Server 2008 R2), and was patched back in the May 2019, following warnings about a possible attack exploiting the potent metasploit module.
Microsoft warned users and system administrators to apply the patches as soon as possible, but not everyone apparently paid heed. Thankfully, however, the reach and scale of these attacks are nowhere near what one saw with EternalBlue, the exploit at the heart of the notorious WannaCry, NotPetya and Bad Rabbit ransomware outbreaks of 2017.