Mass BlueKeep RDP Attacks Detected Spreading Cryptcurrency Miners

The BlueKeep remote code execution vulnerability in Windows Remote Desktop Services is being exploited in real world attacks.

The vulnerability – CVE-2019-0708 – can be exploited on vulnerable systems by sending a specially crafted request over RDP. No user interaction is required.  A patch to correct the flaw was issued by Microsoft in May.

The flaw is one of the most serious vulnerabilities discovered in 2019. Like the Windows Server Message Block (SMB) vulnerability that was exploited in the WannaCry ransomware attacks in May 2017, the vulnerability is wormable which means it can spread from one vulnerable computer to another with no user interaction required.

Also, like the Wannacry attacks, a patch to fix the vulnerability and make computers immune was issued months beforehand.  Microsoft issued a patch to correct the flaw in May 2019.

Many computers remain vulnerable despite warnings from Microsoft to patch immediately following the May 2019 security update. The severity of the flaw and slow rate of patching prompted Microsoft to issue another warning in June. The NSA and many other security agencies have also issued warnings and have urged businesses to apply the patch. Yet despite these warnings, a month after the patch had been released, around a million devices remained vulnerable to attack. Devices that are still vulnerable are now being targeted.

Fortunately, the threat group conducting the attacks is not using a worm so the damage caused by an attack will be limited. There have been no reported cases of data being wiped, instead the vulnerability is being exploited to download a Monero cryptocurrency minder, via a PowerShell command and PowerShell script.

The attacks were identified by researcher Kevin Beaumont, who after the BlueKeep flaw was identified, set up multiple BlueKeep honeypots. The worldwide network of honeypots had not been attacked until this weekend, when first one honeypot crashed and rebooted followed by all of the others around the world with the exception of Australia.

The attacks are being conducted on unpatched Windows devices that have RDP 3389 ports exposed to the Internet. MalwareTech, of WannaCry kill switch fame, analyzed the crash dumps and identified BlueKeep artifacts in the memory along with shellcode that indicated a cryptocurrency miner was being delivered.

An early analysis of the attacks suggests the attackers have used a BlueKeep scanner to find vulnerable IPs, which are being systematically attacked. The attacks on Beaumont’s honeypots generated more than 26 million events over the weekend, indicating the extent of the campaign.

While the majority of businesses have applied the update – the count was 83% in June – many are still vulnerable. The number of unpatched devices globally is understood to be around 724,000. Consumers running Windows 7, Windows Server 2008 R2, and Windows Server 2008 may also be vulnerable to attack.

The advice – as always – is apply patches promptly and if you have not yet applied the update to correct the BlueKeep flaw there really isn’t any time to waste.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of