It was just a matter of time: the first "mass exploiting" of BlueKeep vulnerability is spotted in the wild.
If you haven’t already patched your servers, do it asap!
Last sunday, security researcher Kevin Beaumont posted a tweet about a large numer of Blue Screen on his network of BlueKeep Honeypots:
Kevin also shared a crash dump with Marcus Hutchins (also known as MalwareTech), who investigated the sample and said that he "found BlueKeep artifacts in memory and shellcode to drop a Monero Miner":
According to Hutchins' analysis, an initial payload runs an encoded PowerShell command that downloads a second PowerShell script, also encoded:
…the second part of the shellcode also matches that from the BlueKeep metasploit module.
the payload is easily visible at the end of shellcode. It’s an encoded PowerShell command.
The researcher says that the final payload is a cryptocurrency miner for Monero, currently detected by 25 antivirus engines on VirtusTotal:
By decoding the PowerShell command, we obtain code to download another PowerShell command from the attacker’s server.
After this, another encoded PowerShell command is downloaded. And another. Eventually we arrive at the command which downloads and executes an actual executable binary.
This binary’s hash is known to VirusTotal as a cryptocurrency miner.
How bad is it?
Not a lot, actually!
Microsoft patched BlueKeep vulnerability (CVE-2019-0708) on May 14: currently, exploiting this RDP flaw for remote code execution is not easy and the most common result of using the public exploit is a crash of the target system (two private and non-free exploit modules were developed some months ago, for Metasploit and CANVAS penetration testing tools).
Furthermore, the code used in this campaign is not wormable, meaning that it cannot self propagate and therefore, won’t spread as quickly as Wannacry.
Finally, the vulnerability does not affect all versions of Windows operating system. Microsoft's advisory lists Windows 7, Windows Server 2008 R2, and Windows Server 2008.