iTnews

Researchers spot BlueKeep worm hitting honeypots

By Juha Saarinen on Nov 4, 2019 7:08AM
Researchers spot BlueKeep worm hitting honeypots

Yet to hit Australia.

Security researchers are seeing the first indications of self-replicating malware or worms exploiting unpatched Windows systems vulnerable to the BlueKeep remote desktop protocol flaw.

Over the weekend, well-known OpenSecurity.global researcher Kevin Beaumont tweeted that his EternalPot RDP honeypots had started crash with Windows Blue Screen of Death (BSoD) in all regions they were deployed in bar Australia.

Honeypots are systems specifically set up by security researchers to catch exploit attempts.

Marcus Hutchins, a researcher who rose to instant fame after mitigating the destructive WannaCry ransomware attack and his arrest by United States authorities afterwards for alleged malware dissemination, chipped in with a preliminary analysis of the crashes.

Hutchins suspected they're due to a BlueKeep worm making the rounds.

It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner. https://t.co/7G88YAW5lr

— MalwareTech (@MalwareTechBlog) November 2, 2019

Further analysis by Hutchins confirmed that this is a BlueKeep exploit, arriving some six months after the vulnerability was published.

The malicious code delivered by the worm downloads and executes a series of encoded Windows PowerShell commands.

These fetch another payload, an executable that runs a miner for the Monero crypto-currency.

Beaumont later said that "we found definite BlueKeep exploitation in wild across every country with a RDP honeypot (except Australia)."

He added in a blog post that there are over 724,000 internet-accessible systems that are not patched against the BlueKeep vulnerability.

Administrators should also patch internal systems against BlueKeep, as history has shown that worms can spread to these as well.

Microsoft has warned that the BlueKeep vulnerability is extremely serious, and could lead to another WannaCry malware epidemic, or worse.

Patches have been issued for vulnerable Windows systems, including Windows XP and Windows Server 2003, both of which are long out of support.

The Australian Cyber Security Centre has urged administrators to apply the available patches. as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bluekeep kevin beaumont marcus hutchins rdp remote desktop protcol security

Partner Content

The hybrid work business opportunity
Partner Content The hybrid work business opportunity
Unblocking your organisation's data flows
Partner Content Unblocking your organisation's data flows
From 30 people to 6 million: How workplace tech is driving Movember's global community
Promoted Content From 30 people to 6 million: How workplace tech is driving Movember's global community
Rethinking security and access for hybrid work
Partner Content Rethinking security and access for hybrid work

Sponsored Whitepapers

Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Future of work: Support your distributed HR workforce with digital document processes
Future of work: Support your distributed HR workforce with digital document processes
Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights

Events

  • Nutanix .NEXT Conference
By Juha Saarinen
Nov 4 2019
7:08AM
0 Comments

Related Articles

  • US to target ransomware payments in cryptocurrency with sanctions
  • IAG is restructuring its security operations
  • Facebook targets harmful real networks using playbook against fakes
  • Microsoft readies passwordless logins
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Westpac replaces branch phone systems with iPhones, Teams Calling

Westpac replaces branch phone systems with iPhones, Teams Calling
Australia Post nears end of massive telco transformation

Australia Post nears end of massive telco transformation
Westpac loses its group head of data and advanced analytics

Westpac loses its group head of data and advanced analytics
NBN Co to charge free fibre recipients that don't stick with higher speed plans

NBN Co to charge free fibre recipients that don't stick with higher speed plans
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.