ACSC warns on BlueKeep after cryptojacking exploit detected

The Australian Cyber Security Centre has issued a fresh warning on the BlueKeep remote desktop protocol vulnerability after reports hackers have begun exploiting the flaw to mine cryptocurrency.

Security researchers identified the first indications of self-replicating malware exploiting unpatched Windows systems in late October, six months after the vulnerability was first published.

Well-known OpenSecurity.global researcher Kevin Beaumont, who coined the term BlueKeep, found his honeypots set up to catch exploit attempts were crashing in all regions except Australia.

Further analysis by British malware researcher Marcus Hutchins, who neutralised the WannaCry ransomware attack and was recently arrested for alleged malware dissemination, found the malicious code delivered by the worm was running a miner for the Monero crypto-currency.

On Friday ACSC chief Rachel Noble said the public facing arm of the Australian Signals Directorate was investigating reports the BlueKeep vulnerability was being exploited to mine cryptocurrency.

The agency first warned of a working exploit for BlueKeep affecting older Windows operating systems, including Windows 7, Windows XP, Server 2003 and Server 2008, in September.

“We are also concerned about reports cybercriminals are exploiting the BlueKeep vulnerability to access computers and control them without the users’ knowledge,” Noble said.

“While you are watching your TV or eating dinner with your family, a cybercriminal can use your computer to mine and profit from untraceable digital currency, and you may never know that this has occurred.

“The unfortunate truth is that once a cybercriminal can access your computer, they can control your computer. If they find valuable data, like your personal information and photos, they can steal it.”

ACSC is also continuing to respond to the Emotet malware campaign, which has hit at least 19 organisations, including critical infrastructure providers and government agencies.

The extent of the campaign, which also led to the recent Ryuk ransomware attacks against regional Victorian hospitals and health services, led the ACSC to issue a national alert last month.

On Friday, the ACSC said Cyber Incident Management Arrangements (CIMA) initiated in response to Emotet remained activated, though the alert level has been downgraded to level four.

Noble said the alert level, although downgraded, still required “a precautionary approach through increasing monitoring, analysis, and strategic coordination and engagement at the national level”.

“While we have seen a drop in the number of Emotet infections in the last week, people and businesses should remain vigilant,” she said.

“The threat is real, but there is something you can do about it.”

“A few minutes updating your software could save you or your business weeks or months of recovering from the damage caused by a cybercriminal.”