BlueKeep Flaw in Old Windows PCs Exploited to Mine Cryptocurrency

BlueKeep Flaw in Old Windows PCs Exploited to Mine Cryptocurrency

A hacker has been abusing a serious vulnerability in old Windows machines that both Microsoft and the NSA have warned could lead to a computer virus outbreak.

Fortunately, the attacks have only involved installing a cryptocurrency miner, according(Opens in a new window) to Kevin Beaumont, the security researcher who noticed the activity over the weekend.

The vulnerability, dubbed BlueKeep, affects unpatched Windows 7, Vista, and XP machines, along with Windows Server 2003 and 2008 systems, that have the Remote Desktop Service feature activated. If exploited, you can basically take over the Windows machine to view, modify, or delete data, or install new programs.

What makes BlueKeep scary is how it’s “wormable” and can be exploited without any interaction from the computer’s owner. As a result, a hacker could theoretically create a piece of malware to search out vulnerable Windows machines on the internet and try to infect them all.

Microsoft disclosed and patched(Opens in a new window) the flaw in May, but security researchers say at least 700,000 machines connected to the internet are still vulnerable to the threat.

To check whether hackers would ever exploit the vulnerability, Beaumont created several “honeypots,” or dummy Windows machines vulnerable to the flaw, which were hooked up to the open internet. For months now, activity on the honeypots had been quiet. But on Saturday, Beaumont said he finally realized someone had been breaking into the machines using the BlueKeep vulnerability, which caused them to crash starting on Oct. 23.

A closer examination showed that all but one of Beaumont’s honeypots had been compromised through the BlueKeep vulnerability, “normally several times a day,” he wrote in a blog post(Opens in a new window) discussing the attacks.

Beaumont then asked another security researcher, Marcus Hutchins —who helped stop the WannaCry ransomware outbreak— to review the crash logs for his honeypots. The analysis revealed(Opens in a new window) the mysterious attacker had been hijacking the machines to download a cryptocurrency miner.

“So far the content being delivered with BlueKeep appear to be frankly a bit lame—coin miners aren’t exactly a big threat,” Beaumont wrote in his blog post. The mining software essentially acts as a parasite; it will steal a machine’s CPU resources, to generate a virtual currency, which is then sent to the hackers. At worst, computers hit with the miner will run slower and consume more electricity. But the machines themselves remain usable, with the data inside intact.

The mysterious hacker behind the attacks has also refrained from unleashing a computer worm. According(Opens in a new window) to Hutchins, it appears the culprit is simply targeting vulnerable Windows machines on a wide-scale based on a list of IP addresses.

To exploit the unpatched Windows machines, the hacker has been using a penetration testing tool(Opens in a new window), called Metasploit, which security researchers released in September to help organizations check whether they were vulnerable to the BlueKeep flaw. The same tool is also a double-edge sword since a hacker can use it too. Fortunately, the Metasploit module has no automatic targeting functions built in to abuse BlueKeep; instead the user has to manually specify the target.

Interestingly, the mysterious culprit behind the hijackings may have stopped. After publishing his analysis on attacks, all BlueKeep-related activity over Beaumont’s honeypots has ceased.

Nevertheless, Beaumont warns it may only be a matter of time before a more serious attack hits the unpatched Windows machines. “It is clear people now understand how to execute attacks on random targets, and they are starting to do it,” he said. “This activity doesn’t cause me to worry, but it does cause my spider sense to say ‘this will get worse, later.'”

Many businesses, healthcare organizations, and government agencies across the world still run legacy Windows systems. So they likely remain most vulnerable to threat.

The patches to fix the flaw can be downloaded on Microsoft’s website(Opens in a new window). Windows 8 and Windows 10 operating systems, however, are immune to the threat. Owners can also disable the Remote Desktop Services on machines to guard against the vulnerability.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Source By