Warning after new Windows BlueKeep exploit identified over the weekend
New Bluekeep exploit picked-up by security specialists 'Bluepot' honeypot network
Security researcher Kevin Beaumont has warned of a potential new wave of cyber attacks based on the BlueKeep exploit after identifying the new threat over the weekend.
Beaumont says that after BlueKeep was uncovered, he created a "worldwide honeypot network" using Azure Sentinel with Microsoft Sysmon to spot exploitation, and named the "honeypot network" Bluepot.
According to Beaumont, one of the BlueKeep honeypots crashed and rebooted on 23rd October, and then all remaining honeypots (except on in Australia) also crashed and rebooted.
Marcus Hutchins (also known as MalwareTech), known for hitting the kill switch to stop the WannaCry infection, also confirmed the on-going BlueKeep exploit attack.
However, it is not the fast-spreading self-replicating worm that some experts had feared. The attackers behind the latest BlueKeep attack are currently looking for unpatched Windows systems with RDP 3389 ports exposed to the internet.
Kryptos Logic spotted the initial BlueKeep exploit attack from a "low-level actor" which appears to have infected vulnerable machines with a cryptocurrency miner. No data wipes or automatic spreading of a worm has been noticed so far in the current campaign.
Systems that have been kept patched and updated will be unaffected. However, there were nearly a million systems estimated to be vulnerable to BlueKeep in May, although the window of opportunity for a wide-ranging attack is closing, according to security researchers.
According to Beaumont, though, activity appeared to stop abruptly shortly after he issued his public warnings.
In May, Microsoft surprised cyber security experts by releasing a patch for Windows XP, its first in years, indicating the risk of a major security threat looming for machines running the old Windows XP operating system.
Later, it was revealed that the company patched a wormable Windows vulnerability, CVE-2019-0708, that affected Windows XP, Windows 7, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows Server 2008 R2 and was serious enough to produce a similar impact as 2017 WannaCry worm.
BlueKeep vulnerability is pre-authentication, meaning it requires no user interaction. Since it is wormable, it can make any malware exploiting the vulnerability to be able to spread from one vulnerable system to another, without requiring user interaction.
Microsoft issued a warning on 14th May, and again on 30th May, urging users of vulnerable Windows machines to update their systems as quickly as possible.
In June, the US National Security Agency and the Cybersecurity and Infrastructure Security Agency also issued advisories for Microsoft Windows administrators, asking them to update their vulnerable systems or risk facing "devastating" consequences.
Many security experts said that a widespread and destructive BlueKeep exploit was only weeks away.