BlueKeep exploit found in the wild

By Dylan Bushell-Embling
Tuesday, 05 November, 2019

The infamous BlueKeep Microsoft vulnerability is now being actively exploited, according to Kevin Beaumont, the security researcher who named it.

OpenSecurity.global’s Beaumont revealed that honeypot servers he had set up to detect exploitation of BlueKeep had done their job in a big way.

Starting on 24 October, Beaumont discovered that the honeypots he had set up were crashing and rebooting. In the intervening time, all the servers — excluding one in Australia — were doing so with increasing frequency.

Analysis indicated that the honeypot servers had been injected with a cryptocurrency miner using the BlueKeep exploit method. Beaumont said all but the Australian server show signs of being compromised using BlueKeep exploits, normally several times a day.

While the attack itself is not too concerning as coin miners are not a big threat, it does indicate that attackers are coming to understand how to use BlueKeep to execute attacks on random targets, and are starting to do so.

Tenable Senior Research Engineer Satnam Narang agreed that the discovery should be cause for concern.

“This is the first example of attackers exploiting the BlueKeep vulnerability in the wild, which should set alarm bells off for organisations that have yet to patch vulnerable systems,” he said.

“According to BinaryEdge, there are over 700,000 vulnerable systems that are publicly accessible, including over 4500 in Australia. The risks here cannot be overstated — organisations must patch their systems immediately."

But in a recent tweet, Beamont said since publishing the details of the attack, all exploit activity targeting the honeypot servers appears to have stopped.

BlueKeep was first weaponised in September after an exploit using the vulnerability was released on the Rapid7-led Metasploit project.

Image credit: ©stock.adobe.com/au/pickup