Back in May this year, Windows had acknowledged the presence of the Bluekeep Bug, Now Attackers are using Bluekeep to install Cryptocurrency Miners.
Bluekeep Attacks Install Cryptocurrency Miners!
The renewed Bluekeep attacks were spotted by a security researcher known as Kevin Beaumont. The analysis of the dumps was analysed by Jake Williams and Marcus Hutchins (also known as ‘MalwareTech’ on Twitter).
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr
— MalwareTech (@MalwareTechBlog) November 2, 2019
The analysis of the dump shows that the newly made malware drops a Monero Miner in the user’s pc. The hacker group has been using a demo BlueKeep exploit released by the Metasploit team back in September to hack into unpatched Windows systems and install a cryptocurrency miner.
The hacks have been going on for a past number of weeks, and about 735,000 computers were still vulnerable to the BlueKeep vulnerability, according to a security analysis company called Errata Security
The first mass-hacking operation did not result in self-spreading, worm-like capabilities. Instead, hackers appear to be searching for Windows systems with RDP ports left exposed on the Internet, deploying the BlueKeep Metasploit exploit, and later a cryptocurrency miner.
I don’t think there’s a worm (or at least anything bad enough to care about). There’s finally generic exploitation tho for sure.
— Kevin Beaumont (@GossiTheDog) November 2, 2019
It is assumed that the attack has been automated, a list of vulnerable IPs are being fed to a server which performs the exploitation.
The bug has been evolved from a worm to a malware which is still quite dangerous for any naive user. This is the first hacking group that is trying to weaponise this dangerous exploit in operation at scale, rather than at a specific target.
Windows has launched some updates that are scheduled to fix this bug and is slowly becoming a major threat to PC users.