When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it’s fallen short of the worst case scenario.
Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft’s Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide.
But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim’s processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic.
“BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale,” says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. “They’re not seeking targets. They’re scanning the internet and spraying exploits.”
Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a “crashdump,” forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines, as detailed in this blog post from Kryptos Logic. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware’s authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September.
It’s unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. “I’ve seen a spike, but not the level I’d expect from a worm,” says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients’ networks for signs of exploitation. “It hasn’t hit critical mass yet.”
In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft’s response to its BlueKeep bug—an unexpected happy ending. “Every month that passes by without a worm happening, more people patch and the vulnerable population goes down,” Williams says. “Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it.”
But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn’t passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft’s lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage.
In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. “A BlueKeep exploit is perfect for getting more systems to mine from,” says Hutchins. “It’s not necessarily going to affect whether someone still makes a ransomware worm at some point.” If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet.