News

Microsoft Connects BlueKeep to Coin-Mining Attacks

• By Kurt Mackie
• 11/08/2019

Microsoft reports that hackers may be using the so-called "BlueKeep" Remote Desktop Services vulnerability in older Windows systems to install coin miners.

According to Microsoft researchers, BlueKeep exploit attempts began to spike in September. The researchers worked with security analysts Kevin Beaumont and Marcus Hutchins, and confirmed details in their November reports. The BlueKeep activity was typically detected as crashes, which imply unsuccessful exploit attempts.

Some of that activity was associated with security researchers trying out a published BlueKeep Metasploit module, but it also coincided with coin-miner implantations on systems. Those attackers used servers located in various countries to deliver coin miner payloads in "France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries," Microsoft indicated.

The coin mining attacks started out as scans for Internet services that used the Remote Desktop Protocol, a protocol underlying Microsoft's Remote Desktop Services used by Windows systems for remote connections. Unpatched Windows systems are vulnerable to the BlueKeep exploit, and Microsoft urged organizations to keep Windows patching up to date to avoid potentially spreadable attacks. They also speculated that these unpatched systems may exist because they only occasionally get used by IT firms to manage their customer systems:

Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

BlueKeep is the name for the CVE-2019-0708 vulnerability in Windows 7, Windows Server 2008 and Windows Server 2008 R2, as well as the older and unsupported Windows systems. Microsoft issued patches for those operating systems back in May, warning that attackers could use the vulnerability in "wormable" or easily spread attacks, much like the "Wannacry" wiper malware of about two years ago.

The BlueKeep vulnerability, if left unpatched, could lead to worse attacks than coin-miner placements, the researchers indicated, adding that "there have been no other verified attacks involving ransomware or other types of malware as of this writing."

The researchers didn't shirk from touting the Microsoft Defender Advanced Threat Protection service as being an effective BlueKeep defense. Microsoft sells that service as part of its top-tier Microsoft 365 E5 licensing.