Microsoft urges users to patch against BlueKeep attacks
The software giant’s Microsoft Defender ATP Research Team published a blog post in which they warned of increased BlueKeep activity, saying: “Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines.”
The researchers also noted that the BlueKeep attacks reported earlier this month by security researcher Kevin Beaumont were connected with a coin mining campaign that used the same command-and-control servers to launch attacks on vulnerable systems. Beaumont even went so far as to create a global honeypot network to detect the development of BlueKeep exploits in the wild. However, the network first crashed at the beginning of October and following this crash, all of the remaining honeypots except for those in Australia were also taken offline.
Security researcher Marcus Hutchins (aka MalwareTech) also confirmed that this series of BlueKeep exploit attacks were still underway. Microsoft worked with both security researchers to investigate the crashes and it was then that they discovered they were caused by a BlueKeep exploit module.
In early September, Microsoft deployed a behavioral detection system for the BlueKeep Metasploit module. The company observed RDP service crashes had increased from 10 to 100 per day in September and a similar spike occurred in early October.
BlueKeep is a remote code execution vulnerability that is also wormable which affects Windows XP, Windows 7, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability itself is pre-authentication and this means that it requires no user interaction to be exploited.
However, the attacks that…