Bluekeep is serious vulnerability in the RDP protocol affecting Windows systems. After months of waiting, active exploits have now been spotted in the wild for the first time, attempting to install cryptomining malware on the vulnerable systems.
Security researcher Kevin Beaumont has been running a network of honeypots in an attempt to capture Bluekeep malware in action. He succeeded on October 23rd and details the findings on his blog.
The exploit attempts to run a powershell script which then downloads and installs a cryptominer. A detailed breakdown of how the exploit works has been written up on the Kryptos Logic blog. Now the first active exploit has been discovered, it is more likely that others will soon emerge as malware writers often borrow extensively from each others work.
Systems are only vulnerable if they remain unpatched. Microsoft released the patches to the RDP software in May 2019.
The RDP protocol is a popular attack vector for malware and security managers are advised to ensure no native RDP ports are exposed to the internet without the protection of a VPN. Bluekeep is dangerous because it allows a compromise before the need to login or authenticate with the operating system.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)