Microsoft’s security team believes that a more destructive BlueKeep attack is coming, and urges users and companies to install application patches in a timely manner.
Before Microsoft issued a warning, security researchers detected malware activity and weaponized the BlueKeep vulnerability. The attacker used BlueKeep’s unpatched Windows system and secretly installed a cryptocurrency mining tool.
Many researchers believe that these attacks have had little effect and have not had serious consequences as reported in May this year. According to Microsoft, the BlueKeep vulnerability is a worm, but malware that deployed worms did not appear in the attack last week.
“While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners,” Microsoft said today. “We cannot discount enhancements that will likely result in more effective attacks.”
It is reported that the BlueKeep vulnerability (CVE-2019-0708) is a high-risk vulnerability discovered by Microsoft in May this year. It belongs to the worm and can use Windows Remote Desktop Services (RDS) to spread malicious programs. After the system is attacked, the hacker can control the vulnerability execution code arbitrarily and send a forced manipulation request through the Remote Desktop Protocol (PDR) to control the computer without interaction.
Instead, the attacker scanned the vulnerable system on the Internet, attacking an unrepaired system at a time and then deploying a BlueKeep vulnerability and implanting a mining tool. And this is far from the case of Microsoft’s claim that BlueKeep may trigger an automatic spread of malware.
Microsoft also said that no other proven attacks involving ransomware or malware have yet been discovered. But BlueKeep’s vulnerability could be used to implant mining tools and put a destructive payload on the computer. This is the third time Microsoft has issued a warning this year and urged users to install application patches.
“Customers are encouraged to identify and update vulnerable systems immediately,” the company said. “Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.“