Microsoft Detecting BlueKeep Exploits Used for Coin Mining

Microsoft on Thursday described its research on the so-called "BlueKeep" Remote Desktop Services vulnerability in older Windows systems, finding signs that it's being used to install coin miners.

BlueKeep exploit attempts began to spike in September, according to Microsoft's researchers. They worked with security researchers Kevin Beaumont and Marcus Hutchins, and confirmed details in their November reports. The BlueKeep activity was typically detected as crashes, which imply unsuccessful exploit attempts.

Some of that activity was associated with security researchers trying out a published BlueKeep Metasploit module, but it also coincided with coin-miner implantations on systems. Those attackers used servers located in various countries to deliver coin miner payloads in "France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries," Microsoft indicated.

The coin mining attacks started out as scans for Internet services that used the Remote Desktop Protocol, a protocol underlying Microsoft's Remote Desktop Services used by Windows systems for remote connections. Unpatched Windows systems are vulnerable to the BlueKeep exploit, and Microsoft urged organizations to keep Windows patching up to date to avoid potentially spreadable attacks. They also speculated that these unpatched systems may exist because they only occasionally get used by IT firms to manage their customer systems:

Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

BlueKeep is the name for the CVE-2019-0708 vulnerability in Windows 7, Windows Server 2008 and Windows Server 2008 R2, as well as the older and unsupported Windows systems. Microsoft issued patches for those operating systems back in May, warning that attackers could use the vulnerability in "wormable" or easily spread attacks, much like the "Wannacry" wiper malware of about two years ago.

The BlueKeep vulnerability, if left unpatched, could lead to worse attacks than coin-miner placements, the researchers indicated, adding that "there have been no other verified attacks involving ransomware or other types of malware as of this writing."

The researchers didn't shirk from touting the Microsoft Defender Advanced Threat Protection service as being an effective BlueKeep defense. Microsoft sells that service as part of its top-tier Microsoft 365 E5 licensing.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.