Windows 10 News and info | Forum
November 12, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: BlueKeep attacks are happening, but it's not a worm  (Read 11 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30681


I Do Windows


WWW Email
« on: November 05, 2019, 12:42:44 PM »
ReplyReply

Hackers are using BlueKeep to break into Windows systems and install a cryptocurrency miner.

Security researchers have spotted the first mass-hacking campaign using the BlueKeep exploit; however, the exploit is not being used as a self-spreading worm, as Microsoft was afraid it would happen last May when it issued a dire warning and urged users to patch.

Instead, a hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.

This BlueKeep campaign has been happening at scale for almost two weeks, but it's been only spotted today by cybersecurity expert Kevin Beaumont.

The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet.

Beaumont's discovery was confirmed by Marcus "MalwareTech" Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who's a recognized expert in the BlueKeep exploit.

The attacks discovered by Beaumont are nowhere near the scale of the attacks Microsoft was afraid of back in May, when it likened BlueKeep to EternalBlue, the exploit at the heart of the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks of 2017.

Microsoft engineers were terrified that BlueKeep would trigger another world-spanning malware outbreak that spread on its own, from an unpatched system to an unpatched system.

However, the first mass-hacking operation didn't turn out to include self-spreading, worm-like capabilities. Instead, the hackers appear to search for Windows systems with RDP ports left exposed on the internet, deploy the BlueKeep Metasploit exploit, and later a cryptocurrency miner.


But these particular BlueKeep attacks don't seem to work. Beaumont told ZDNet that the attacks crashed 10 of the 11 honeypots he was running.

This shows the attacker's exploit code doesn't work as they intend.

This fits right in with what most experts have said about BlueKeep for the past few months. The BlueKeep exploit can have devastating consequences, but it's hard to get an exploit working without crashing the OS with a Blue Screen of Death (BSOD) error.

The person/group behind the recent attacks doesn't appear to have the know-how needed to modify the BlueKeep demo exploit released by the Metasploit team back in September, which is a good thing. However, some of their attacks have succeeded.

What we are seeing today from this threat actor is the first hacking group that is trying to weaponize this dangerous exploit in an operation at scale, rather than at a specific target.

But ZDNet is also aware that other hackers have used BlueKeep in more targeted attacks, and have used it successfully.

At one point in the future, some low-skilled threat actors will figure out how to run BlueKeep properly, and that's when we'll see it used more broadly. Chances are that it's still going to be used to mine cryptocurrency -- the same thing for which EternalBlue is also mostly used nowadays.

BLUEKEEP PATCH INFORMATION

BlueKeep is a nickname given to CVE-2019-0708, a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service. It impacts only:

   Windows 7

   Windows Server 2008 R2

   Windows Server 2008

Patches have been available since mid-May 2019. See official Microsoft advisory.

A first public demo of BlueKeep exploit was released for the Metasploit penetration testing framework back in September. It was released to help system administrators test vulnerable systems, but it can also be re-purposed by malicious actors. Tens of other private exploits have existed since June, developed by cyber-security firms, but kept private in order to avoid helping attackers.

Despite having months to patch systems, the latest headcount of publicly-accessible Windows systems that expose an RDP endpoint online and are vulnerable to BlueKeep is at around 750,000. These scans don't include systems inside private networks, behind firewalls.

source
« Last Edit: November 05, 2019, 12:58:36 PM by javajolt » Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 10, 2019, 08:08:12 AM