News

Microsoft Detecting BlueKeep Exploits Used for Coin Mining

Microsoft on Thursday described its research on the so-called "BlueKeep" Remote Desktop Services vulnerability in older Windows systems, finding signs that it's being used to install coin miners.

BlueKeep exploit attempts began to spike in September, according to Microsoft's researchers. They worked with security researchers Kevin Beaumont and Marcus Hutchins, and confirmed details in their November reports. The BlueKeep activity was typically detected as crashes, which imply unsuccessful exploit attempts.

Some of that activity was associated with security researchers trying out a published BlueKeep Metasploit module, but it also coincided with coin-miner implantations on systems. Those attackers used servers located in various countries to deliver coin miner payloads in "France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries," Microsoft indicated.

The coin mining attacks started out as scans for Internet services that used the Remote Desktop Protocol, a protocol underlying Microsoft's Remote Desktop Services used by Windows systems for remote connections. Unpatched Windows systems are vulnerable to the BlueKeep exploit, and Microsoft urged organizations to keep Windows patching up to date to avoid potentially spreadable attacks. They also speculated that these unpatched systems may exist because they only occasionally get used by IT firms to manage their customer systems:

Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

BlueKeep is the name for the CVE-2019-0708 vulnerability in Windows 7, Windows Server 2008 and Windows Server 2008 R2, as well as the older and unsupported Windows systems. Microsoft issued patches for those operating systems back in May, warning that attackers could use the vulnerability in "wormable" or easily spread attacks, much like the "Wannacry" wiper malware of about two years ago.

The BlueKeep vulnerability, if left unpatched, could lead to worse attacks than coin-miner placements, the researchers indicated, adding that "there have been no other verified attacks involving ransomware or other types of malware as of this writing."

The researchers didn't shirk from touting the Microsoft Defender Advanced Threat Protection service as being an effective BlueKeep defense. Microsoft sells that service as part of its top-tier Microsoft 365 E5 licensing.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Adds 6 More Months to Expiring Certification Programs

    Microsoft has announced an extension to the end date of three certification programs slated for retirement.

  • Microsoft's Surface Pro X: It's Like the Surface RT, But Better

    There's a lot about the Surface Pro X that's reminiscent of the ill-fated Surface RT. But despite the similarities, this might just be one of the rare cases where the sequel is better than the original.

  • Q&A: The Challenges of Securing All Those Newly Remote Workers

    Security expert Dale Meredith identifies cybersecurity challenges, best practices and major concerns resulting from all the employees forced into home offices by COVID-19.

  • Astronaut Survival Training: A Crash Course in Sea Survival

    Lots of things can go wrong during a commercial spaceflight -- especially once your capsule leaves space. An unplanned ocean landing is just one of those worst-case scenarios.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.