BlueKeep Threat Confirmed – Unpatched Windows Computers are in Great Danger

Microsoft detected BlueKeep attacks connected with a coin mining campaign on November 2, 2019 and urges users to update outdated Windows OS.

For the first time, Microsoft perceived a malware campaign weaponized the BlueKeep vulnerability. The Microsoft Defender ATP Research Team also warned about upcoming destructive BlueKeep attacks and recommended Windows users to patch their OS as soon as possible. According to Microsoft, these attacks are using the same C2 (Command-and-Control) infrastructure that was being used with the coin mining campaign detected in September.

What is BlueKeep?

BlueKeep is an unauthorized remote code vulnerability affecting the out-of-date Microsoft Windows Versions. It is a wormable (a self-spreading malware), indexed as CVE-2019-0708, which allows any malware exploiting the Windows vulnerability to spread from one computer to another even without any user interaction. It directly attacks in computers’ RDP (Remote Desktop Protocol) that connects a computer (with Windows XP, Windows 7, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows Server 2008 R2) to another over a network connection.

BlueKeep was first detected by UK National Cyber Security Centre in May and from May-mid, Microsoft is urging it’s users to apply a patch. BlueKeep directly attacks in the RDP of Windows computers and install a cryptocurrency miner, which allows cyberthreat to spread around quickly.

“As per our security signals, RDP-related crashes, associated with the use of unstable BlueKeep Metasploit module on certain sets of vulnerable machines”, quoted by Microsoft Defender ATP Research Team in an article.

A Critical Wormable Remote Code Execution Vulnerability in Windows RDP

In addition, Microsoft said that this is just the beginning of BlueKeep and the worst is yet to come. In future, the attackers will use BlueKeep for delivering the malicious payloads that will be much worse than these coin miners. BlueKeep will be a threat until the Windows Systems remain unpatched and the overall security posture will be unchecked.

The coin miner payloads delivered in the campaign were detected by Microsoft in UK, Spain, Italy, France, Russia, Ukraine, Germany and in several other countries. The attackers targeted all the vulnerable RDP services and downloaded multiple obfuscated PowerShell scripts, which were dropping the coin miner as final payload.

“Latest exploit attacks demonstrate that the BlueKeep will remain a threat as long as the Windows computers will remain unpatched and the entire security structure will remain unchecked”, Microsoft says.

Therefore, Microsoft is encouraging its Windows system users to update their outdated vulnerable systems immediately because all the unpatched devices could get infected or compromised easily. So, if you’re using an outdated Windows version, then the best method to address this vulnerability is to install the latest version of Windows OS.