First mass BlueKeep exploitation spotted in the wild

Networks connected with each other across the world

The first instance of a cyber attack exploiting the infamous BlueKeep remote desktop protocol (RDP) vulnerability on a massive scale has been spotted in the wild.

Traps set by security researchers have exposed an attempt to weaponise the Windows vulnerability to launch cryptocurrency mining attacks, although it's far from the worst-case scenarios painted when the flaw was first disclosed.

BlueKeep was a 'wormable' remote code execution (RCE) flaw that could give attackers the highest possible privileges on a Windows machine and spread from one vulnerable device to another within a network without any user intervention.

Panic spread following its discovery, with several national security agencies including the National Cyber Security Centre (NCSC) warning businesses the flaw posed a serious security threat.

The strength of concern was such that Microsoft even released patches for users still using systems that had long-since been deemed end-of-life, such as Windows XP.

In the six months between its discovery and now, however, these warnings haven't come to fruition.

Kevin Beaumont, the researcher who first discovered BlueKeep, yesterday revealed the first exploitation attempt discovered using his honeypot network built in the wake of the disclosure.

He also shared his findings with Marcus Hutchins, who was instrumental in stopping the WannaCry attack in 2017.

"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponised," Hutchins wrote in a blog post.

"One might theorise that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."

He added that although this activity is concerning, much worse scenarios were predicted at first, and this particular exploit has failed to take advantage of the wormable nature of the BlueKeep flaw. Moreover, there are no signs that indiscriminate scanning on vulnerable ports is occurring, as when attackers launched WannaCry.

It's likely more than not that the exploit was devised by a low-level cyber criminal who scanned the internet and infected vulnerable hosts using out-of-the-box penetration testing tools, Hutchins continued.

Beaumont, meanwhile, branded the attack as being anticlimactic due to the fact it involved attempts to spread cryptocurrency mining malware, but warned that it's indicative of dangers to come.

"In conclusion, so far the content being delivered with BlueKeep appears to be frankly a bit lame - coin miners aren't exactly a big threat," he said. "However it is clear people now understand how to execute attacks on random targets, and they are starting to do it.

"This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later'."

He suggested that organisations remove any unpatched endpoints that are directly available on the internet for RDP, until they're patched. He continued that services like would be able to find exploitable systems within organisations' IP ranges.

More than 724,000 systems across the web are still exposed to the BlueKeep vulnerability, despite efforts to patch the flaw from Microsoft, he continued, compared to a few million before it was first disclosed. This suggests a handful of systems are simply never security patched.

"If somebody makes a reliable worm for this vulnerability - which to be clear has not happened here - expect global consequences as it will then spread inside internal networks," he added.

Meanwhile, cyber security researcher Graham Cluley told IT Pro that while the attacks don't appear to be working quite as well as the hackers might hope, it's clear things have accelerated in recent months.

"Future attacks may be more successful," he added. "Businesses and home users alike need to ensure that they have defences in place and that their PCs are properly patched."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.