Microsoft Detecting BlueKeep Exploits Used for Coin Mining

Microsoft on Thursday described its research on the so-called "BlueKeep" Remote Desktop Services vulnerability in older Windows systems, finding signs that it's being used to install coin miners.

BlueKeep exploit attempts began to spike in September, according to Microsoft's researchers. They worked with security researchers Kevin Beaumont and Marcus Hutchins, and confirmed details in their November reports. The BlueKeep activity was typically detected as crashes, which imply unsuccessful exploit attempts.

Some of that activity was associated with security researchers trying out a published BlueKeep Metasploit module, but it also coincided with coin-miner implantations on systems. Those attackers used servers located in various countries to deliver coin miner payloads in "France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries," Microsoft indicated.

The coin mining attacks started out as scans for Internet services that used the Remote Desktop Protocol, a protocol underlying Microsoft's Remote Desktop Services used by Windows systems for remote connections. Unpatched Windows systems are vulnerable to the BlueKeep exploit, and Microsoft urged organizations to keep Windows patching up to date to avoid potentially spreadable attacks. They also speculated that these unpatched systems may exist because they only occasionally get used by IT firms to manage their customer systems:

Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

BlueKeep is the name for the CVE-2019-0708 vulnerability in Windows 7, Windows Server 2008 and Windows Server 2008 R2, as well as the older and unsupported Windows systems. Microsoft issued patches for those operating systems back in May, warning that attackers could use the vulnerability in "wormable" or easily spread attacks, much like the "Wannacry" wiper malware of about two years ago.

The BlueKeep vulnerability, if left unpatched, could lead to worse attacks than coin-miner placements, the researchers indicated, adding that "there have been no other verified attacks involving ransomware or other types of malware as of this writing."

The researchers didn't shirk from touting the Microsoft Defender Advanced Threat Protection service as being an effective BlueKeep defense. Microsoft sells that service as part of its top-tier Microsoft 365 E5 licensing.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.