First BlueKeep mass hacking traced
BlueKeep vulnerability.
The bug in Microsoft’s Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences.
Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide.
But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim’s processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic.
“BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale,” says Marcus Hutchins, a malware researcher, who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability.
“They’re not seeking targets. They’re scanning the internet and spraying exploits.”
“Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet — the port used by RDP — he quickly suspected BlueKeep.
He then shared a ‘crashdump,’ forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines.