BlueKeep Flaw in Old Windows PCs Exploited to Mine Cryptocurrency

Though Microsoft released a patch, at least 700,000 old Windows machines remain vulnerable to the BlueKeep flaw. Recently, a hacker has started to exploit them. 

·     

By Michael Kan November 4, 2019 1:48PM EST

A hacker has been abusing a serious vulnerability in old Windows machines that both Microsoft and the NSA have warned could lead to a computer virus outbreak.

Fortunately, the attacks have only involved installing a cryptocurrency miner, according to Kevin Beaumont, the security researcher who noticed the activity over the weekend.

The vulnerability, dubbed BlueKeep, affects unpatched Windows 7, Vista, and XP machines, along with Windows Server 2003 and 2008 systems, that have the Remote Desktop Service feature activated. If exploited, you can basically take over the Windows machine to view, modify, or delete data, or install new programs.

What makes BlueKeep scary is how it's "wormable" and can be exploited without any interaction from the computer's owner. As a result, a hacker could theoretically create a piece of malware to search out vulnerable Windows machines on the internet and try to infect them all.

Microsoft disclosed and patched the flaw in May, but security researchers say at least 700,000 machines connected to the internet are still vulnerable to the threat.

To check whether hackers would ever exploit the vulnerability, Beaumont created several "honeypots," or dummy Windows machines vulnerable to the flaw, which were hooked up to the open internet. For months now, activity on the honeypots had been quiet. But on Saturday, Beaumont said he finally realized someone had been breaking into the machines using the BlueKeep vulnerability, which caused them to crash starting on Oct. 23.

A closer examination showed that all but one of Beaumont's honeypots had been compromised through the BlueKeep vulnerability, "normally several times a day," he wrote in a blog post discussing the attacks.

Beaumont then asked another security researcher, Marcus Hutchins —who helped stop the WannaCry ransomware outbreak— to review the crash logs for his honeypots. The analysis revealed the mysterious attacker had been hijacking the machines to download a cryptocurrency miner.

"So far the content being delivered with BlueKeep appear to be frankly a bit lame—coin miners aren't exactly a big threat," Beaumont wrote in his blog post. The mining software essentially acts as a parasite; it will steal a machine's CPU resources, to generate a virtual currency, which is then sent to the hackers. At worst, computers hit with the miner will run slower and consume more electricity. But the machines themselves remain usable, with the data inside intact.

The mysterious hacker behind the attacks has also refrained from unleashing a computer worm. According to Hutchins, it appears the culprit is simply targeting vulnerable Windows machines on a wide-scale based on a list of IP addresses.

To exploit the unpatched Windows machines, the hacker has been using a penetration testing tool, called Metasploit, which security researchers released in September to help organizations check whether they were vulnerable to the BlueKeep flaw. The same tool is also a double-edge sword since a hacker can use it too. Fortunately, the Metasploit module has no automatic targeting functions built in to abuse BlueKeep; instead the user has to manually specify the target.

Interestingly, the mysterious culprit behind the hijackings may have stopped. After publishing his analysis on attacks, all BlueKeep-related activity over Beaumont's honeypots has ceased.

Nevertheless, Beaumont warns it may only be a matter of time before a more serious attack hits the unpatched Windows machines. "It is clear people now understand how to execute attacks on random targets, and they are starting to do it," he said. "This activity doesn't cause me to worry, but it does cause my spider sense to say 'this will get worse, later.'"

Many businesses, healthcare organizations, and government agencies across the world still run legacy Windows systems. So they likely remain most vulnerable to threat.

The patches to fix the flaw can be downloaded on Microsoft's website. Windows 8 and Windows 10 operating systems, however, are immune to the threat. Owners can also disable the Remote Desktop Services on machines to guard against the vulnerability.

https://www.pcmag.com/news/371741/bluekeep-flaw-in-old-windows-pcs-exploited-to-mine-cryptocur