[BreachExchange] First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

[Destry Winant]

https://securityaffairs.co/wordpress/93328/hacking/bluekeep-mass-attack.html

Experts have spotted the first mass-hacking campaign exploiting the
BlueKeep exploit, crooks leverage the exploit to install a
cryptocurrency miner.

Security researchers have spotted the first mass-hacking campaign
exploiting the BlueKeep exploit, the attack aims at installing a
cryptocurrency miner on the infected systems.

In May, Microsoft warned users to update their systems to address the
remote code execution vulnerability dubbed BlueKeep, A few days later,
the National Security Agency (NSA) also urged Windows users and
administrators to install security updates to address BlueKeep flaw
(aka CVE-2019-0708).

In June the Cybersecurity and Infrastructure Security Agency (CISA) of
the U.S. DHS on also issued an alert for the same issue.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows
Remote Desktop Services (RDS) and was addressed by Microsoft with May
2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be
exploited by malware authors to create malicious code with WannaCry
capabilities.

As explained by Microsoft, this vulnerability could be exploited by
malware with wormable capabilities, it could be exploited without user
interaction, making it possible for malware to spread in an
uncontrolled way into the target networks.

Instead, a hacker group has been using a demo BlueKeep exploit
released by the Metasploit team back in September to hack into
unpatched Windows systems and install a cryptocurrency miner.

According to the experts, this is the first attempt to exploit the
BlueKeep RDP vulnerability in mass-hacking attacks.

Over the last months, many security experts have developed their own
exploit code for this issue without publicly disclosing it for obvious
reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and
Server 2003. Windows 7 and Server 2008 users can prevent
unauthenticated attacks by enabling Network Level Authentication
(NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts warned it was a matter of time before threat actors
will start exploiting it in the wild and now it is happening. The
researcher Zǝɹosum0x0 announced to have has developed a module for the
popular Metasploit penetration testing framework to exploit the
critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on
vulnerable Windows XP, 7, and Server 2008, but the expert has not
publicly disclosed it to avoid threat actors abusing it.

After the disclosure of the flaw, the popular expert Robert Graham
scanned the Internet for vulnerable systems. He discovered more than
923,000 potentially vulnerable devices using the masscan port scanner
and a modified version of rdpscan,

Yesterday, the popular expert Kevin Beaumont observed some of its
EternalPot RDP honeypots crashing after being attacked.

The popular expert Marcus Hutchins analyzed data shared by Beaumont
and confirmed that attacks the honeypot systems were hit by attackers
leveraging the BlueKeep exploits to deliver a Monero Miner.

“Kevin kindly shared the crash dump with us and following this lead,
we discovered the sample was being used in a mass exploitation
attempt. Due to only smaller size kernel dumps being enabled, it is
difficult to arrive at a definite root cause.” reads a blog post
published by Hutchins.

“Finally, we confirm this segment points to executable shellcode. At
this point we can assert valid BlueKeep exploit attempts in the wild,
with shellcode that even matches that of the shellcode in the BlueKeep
metasploit module!”

The exploit code includes a sequence of encoded PowerShell commands
that compose the attack chain, the last payload is an executable
binary, a Monero Miner, downloaded from a remote server and executed
on the targeted systems.

Hutchins pointed out that the malicious code involved in the massive
attack doesn’t implement self-spreading capabilities.

Currently there is no news about the extent of this attack, it’s
unclear how many Windows systems have been compromised with the Monero
miner.

“Although this alleged activity is concerning, the information
security community (correctly) predicted much worse potential
scenarios. Based on our data we are not seeing a spike in
indiscriminate scanning on the vulnerable port like we saw when
EternalBlue was wormed across the Internet in what is now known as the
WannaCry attack.” concludes the expert. “It seems likely that a
low-level actor scanned the Internet and opportunistically infected
vulnerable hosts using out-of-the-box penetration testing utilities.”