Cybersecurity experts have found a recent cyber-attack that is suspected to be the very first but an amateur effort to weapon the notorious vulnerability of the BlueKeep RDP in the wild against mass compromise vulnerable cryptocurrency mining networks.
Back in May, in its Windows Remote Desktop Services, Microsoft released a patch for a scathing remote code execution flaw, dubbed BlueKeep, which could be remotely exploited to gain control of vulnerable systems simply by sending specially crafted requests to RDP.
BlueKeep (CVE-2019-0708) is a serious wormable vulnerability as possible malware can be used to spread itself directly from one vulnerable device to another without involving the intervention of the victims. On May 14, Microsoft patched it, followed by a series of alerts from governments and security firms about its seriousness, many reiterating their consideration.
Remote Code Execution (RCE) exploitation of this RDP vulnerability is not easy and the most likely outcome of this attempt is to crash the targeted system. Cybersecurity experts who created a working exploit held the information confidential to prevent hackers producing their version and compromise still unpatched systems.
As stated by Microsoft, malware with wormable capability can exploit this vulnerability. It could be exploited without user interaction, enabling malware to propagate to targeted networks in an uncontrolled manner. In fact, a group of hackers used a BlueKeep demo vulnerability released in September by the Metasploit team to break into unpatched Windows systems and install a cryptocurrency miner.
Related Article : One Million Devices Open to Wormable BlueKeep Vulnerability
It is the first attempt, according to the experts, to exploit the vulnerability of the BlueKeep RDP in mass-hacking attacks. Without publicly disclosing for understandable reasons, many security experts have developed their own exploit code for this issue over the past few months.
For Windows 7, Server 2008, XP and Server 2003, Microsoft has released patches. By enabling Network Level Authentication (NLA), Windows 7 and Server 2008 users can prevent unauthenticated attacks, and the threat may also be mitigated by blocking TCP port 3389.
Security professionals cautioned it was a matter of time before it will be exploited in the wild by threat actors and it is taking place now. The Metasploit module can be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but it was not disclosed publicly by the expert to prevent it from being exploited by threat actors.
Although the BlueKeep flaw may have already been exploited by skilled hackers to stealthy hack targeted victims. Thankfully, the vulnerability has not yet been exploited at a larger scale. However, it is still unclear how many vulnerable BlueKeep Windows systems to deploy the Monero miner in the wild have been compromised in the latest cyber-attacks.
Protect your systems!
If it is not possible to fix the vulnerability in your enterprise sooner, you may follow these mitigations:
- If not needed, disable RDP services.
- Use a firewall to block port 3389 or make it accessible only through a private VPN.
- Allow Network Level Authentication (NLA) – partial protection to avoid the exploitation of this Wormable vulnerability by any unauthenticated attacker