“At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module!”
When the British government alerted Microsoft in May to a critical wormable bug – which security researchers dubbed BlueKeep – in its Windows operating system, the company scrambled to push out an urgent patch.
Although Windows 8 and Windows 10 were unaffected by the security flaw, Windows 7, Windows Server 2008 R2, and Windows Server 2008 were among those that were vulnerable. Security experts feared a repeat of 2017’s WannaCry attacks: the vulnerability is pre-authentication and requires no user interaction, meaning any malware developed that exploited the issue could potentially propagate freely, spawning across tens of thousands of exposed machines.
Security researchers watched with bated breath (and tried to work out how an exploit worked: the original report didn’t come with a handy proof-of-concept) for malware using the vulnerability to start propagating. The vulnerability “may have set the stage for the worst malware attack in years” as reporters wrote.
BlueKeep Malware Finally Emerges
That just changed.
Security researcher Kevin Beaumont – who originally coined the nickname “BlueKeep” – had quickly used Azure Sentinel with Microsoft Sysmon to build a series of honeypots (“BluePot”) to capture any BlueKeep-based attacks, after more details on the vulnerability emerged.
They had, until now, he notes, been “eerily quiet”.
On Sunday the Manchester-based researcher, who runs , OpenSecurity.globalwrote that the first signs of something being awry came when one of his honeypots crashed and rebooted on October 23.
“Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity. On 2nd November 2019 I finally realised what was happening, as my Azure Log Analytics bill had issues and I wanted to know what was happening, so logged in to Azure Sentinel…”
Blog post on how I discovered mass exploitation of BlueKeep from a kernel dump of a crashed system. https://t.co/2tLdLNosYt
— MalwareTech (@MalwareTechBlog) November 3, 2019
After realising what might be happening, he sent a crash dump to security researcher Marcus Hutchins (of WannaCry-thwarting fame) for analysis.
The attacks did indeed bear the hallmark of BlueKeep, he found.
But amidst all the hype and with all the attention of security researchers on the vulnerability, the payload of the attack turned out to be somewhat banal: it was a miner of the crypto coin Monero. (Beaumont says that pretty much as soon as he wrote about the attacks, they dried up outright, as someone got cold feet).
Since publishing, all BlueKeep activity that I could see has stopped.
— Kevin Beaumont (@GossiTheDog) November 4, 2019
Hutchins, in his technical write-up on the malware, noted: “It’s curious that [BlueKeep] took this long to get detectably weaponized. One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.
He added: “Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios.
“Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”