Microsoft threat intelligence joins the dots between BlueKeep attacks and urges Windows users at ... [+]
Microsoft's global network of security experts, Microsoft Security Intelligence, has taken to Twitter to urge Windows users to patch now. At the same time, the Microsoft Defender ATP Research Team posted a detailed confirmation of the ongoing BlueKeep exploit that joined the dots between this and earlier attack activity spotted in September.
On November 3 I reported how a Windows BlueKeep exploit attack, that Microsoft, the National Security Agency (NSA) and the U.S. Government had warned could be coming, was ongoing. Now Microsoft has revealed how it collaborated with the security researchers who initially saw the BlueKeep honeypot crashes that suggested an attack was underway. That initial investigation and analysis confirmed that the crashes were caused by a BlueKeep exploit module.
The Microsoft BlueKeep attack confirmation
The Microsoft Defender ATP Research Team revealed that Microsoft had already deployed behavioral detection in Microsoft Defender ATP for the BlueKeep Metasploit module concerned back in early September. Starting September 6, however, when the Metasploit module was released, Microsoft observed that this detection was being triggered and started collecting critical security signals for analysis. That analysis showed an increase in Remote Desktop Service (RDP) crashes from ten to 100 every day. Then things went relatively quiet until October 9 when a similar rise in memory corruption crashes was noted. Then the crashes on external researcher honeypots, machines left unsecured to log just such attacks, started on October 23.
"Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign," the report stated, "which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner." The Microsoft researchers conclude that the same attackers were responsible for both attack campaigns. In all cases, the coin miner connected to a control infrastructure located in Israel.
BlueKeep worm threat
As I reported previously, the wormable threat of BlueKeep has yet to reach fruition as the attacker appears to have been searching for vulnerable unpatched Windows systems that have RDP 3389 ports exposed to the internet. I also suggested that the threat actors behind the attack could pivot to dropping more malicious payloads than a crypto-miner, and with more than 500,000 vulnerable Windows systems remaining unpatched, Microsoft has now added considerable weight to this warning. "While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners," the Microsoft Defender ATP Research Team said.
BlueKeep exploit attack mitigation
Users with any machines running Windows 7, Windows Server 2008 or Windows Server 2008 R2 are "encouraged to identify and update vulnerable systems immediately," Microsoft said. This might be easier said than done, given that Microsoft also acknowledges many of the unpatched devices could be "unmonitored" appliances from suppliers or other third parties to "occasionally manage customer services." However you gain visibility into your networks, you need to find these devices and do so before the attackers turn the knob up to eleven. The mitigation advice remains the same as it has been since May 14 when Microsoft released a security patch to fix the BlueKeep vulnerability: update now!
