Microsoft urges users to patch Windows systems vulnerable to BlueKeep attacks

BlueKeep exploit attempts are increasing, warns Microsoft, and the worst is still to come

Microsoft has warned users to patch out-of-date Windows systems as a matter of urgency attacks after noticing a spike in BlueKeep exploit attempts.

"Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines," Microsoft Defender ATP Research Team said in a blog post.

According to researchers, the BlueKeep attacks reported earlier this month by security researcher Kevin Beaumont were connected with a coin mining campaign that was first noticed in September and used the same command-and-control servers to carry out attacks on vulnerable systems.

Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module

In an online post published on 3rd November, Beaumont reported that a "worldwide honeypot network" that he created to detect the development of BlueKeep exploits had experienced crashes.

Beaumont said that the first crash occurred on 23rd October, and then all remaining honeypots (except in Australia) also crashed.

Another security researcher, Marcus Hutchins (also known as MalwareTech) also confirmed that BlueKeep exploit attacks were currently undergoing.

Microsoft security researchers collaborated with Beaumont and Hutchins to investigate the crashes, and found that they were caused by a BlueKeep exploit module.

Microsoft said it had deployed a behavioural detection system for the BlueKeep Metasploit module in early September. The company noticed that starting on 6^th September 2019, RDP service crashes increased from 10 to 100 per day. A similar spike in memory corruption crashes were also noticed, starting on 9^th October 2019.

BlueKeep will continue to be a threat 'as long as systems remain unpatched'

BlueKeep is a wormable, remote code execution vulnerability affecting Windows XP, Windows 7, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows Server 2008 R2. Indexed as CVE-2019-0708, this vulnerability is pre-authentication, meaning it requires no user interaction.

Since it is wormable, it can make any malware exploiting the vulnerability to be able to spread from one vulnerable system to another, without requiring user interaction.

The risk associated with BlueKeep forced Microsoft to release a patch for Windows XP on 14^th May, its first in many years.

Many researchers suggested that BlueKeep could have a similar impact as 2017 WannaCry worm.

Nearly one million Windows systems were still vulnerable to BlueKeep flaw as of May 2019.

The attacks that were launched earlier this month did not deploy any wormable malware. Instead, the threat actors scanned the web for vulnerable machines and attacked unpatched system, one at a time. They first deployed a BlueKeep exploit and then the cryptocurrency miner.

According to Microsoft, this is just the beginning, and the worst is yet to come.

The attackers will eventually refine their attacks, and will use the BlueKeep exploit to deliver payloads much more damaging than coin miners, the researchers warned.

BlueKeep will continue to be a threat "as long as systems remain unpatched" and "overall security posture is not kept in check," according to Microsoft.

"Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised," the company added.