Redmond is sending out the caution following confirmation of the first-ever campaign that has leveraged BlueKeep. Security researchers detected the weaponized attack last week. Bad actors used exploited the vulnerability to access unpatched Windows machines and install a crypto miner. Considering the mounting concern surrounding BlueKeep, the attacks were not as potent as feared. In fact, in many instances the attack failed and just caused machines to crash. Microsoft points out this will change if hackers continue to weaponize the flaw. BlueKeep is described as a “wormable” bug. It is particularly dangerous because it can be executed by bad actors remotely. The vulnerability occurs in Remote Desktop Services on older Windows legacy builds such as Windows 7, Windows XP, AND Server 2003 and 2008. “This [bug] would have the potential of a global WannaCry-level event,” said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday earlier this year. “What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.”
More to Come
Because of its wormable nature, attacks leveraging BlueKeep could spread malware automatically. Luckily, last week’s attacks did not include any malware. Microsoft says this is likely just the beginning and more potent attacks will inevitable arrive. “While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” Microsoft says. “We cannot discount enhancements that will likely result in more effective attacks.” As always, Microsoft is telling users that updating their Windows environments will protect them against BlueKeep attacks. “Customers are encouraged to identify and update vulnerable systems immediately,” the company said. “Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”