Long-anticipated ‘BlueKeep’ cyberattacks on Microsoft devices have begun

5 Nov 2019

Image: © Tom Eversley/Stock.adobe.com

The first use of the Microsoft BlueKeep exploit has been spotted in the wild.

After much speculation about the potential of a BlueKeep exploit attack, one has finally come to pass – though its impact so far has been significantly lower than once feared.

BlueKeep can, if exploited, allow hackers to remotely execute whatever code they choose, leaving Microsoft users vulnerable to attack. The vulnerability affects legacy editions of Windows OS such as Vista, Windows 7, Windows XP and more.

Microsoft first began issuing warnings about BlueKeep, a remote code execution, in May of this year. It ran into issues when users failed to apply the patch – Microsoft users have frequently complained in the past that updates will cause devices to freeze.

Its warnings became increasingly grave, with the company urging users that the fallout from BlueKeep attacks could be just as serious as the spate of WannaCry attacks that severely impacted the UK’s NHS.

Security researchers were particularly alarmed by the fact that this exploit is ‘wormable’, meaning that it can self-propagate from machine to machine.

Researchers also feared that the scale of the fallout could be comparable to the NotPetya attacks, which caused massive disruption globally in government agencies, ports and more.

Exploit in the wild

Now, it has finally come into pass: researchers have discovered the first known BlueKeep exploit ‘in the wild’, but it is not nearly as vicious as previously feared.

The attack, instigated by a “low-level actor”, as Kryptos Security described it, was first noted by security researcher Kevin Beaumont, who set up a number of BlueKeep honeypots (Bluepots).

Honeypots are computer security mechanisms designed to detect or sometimes counteract unauthorised use of information systems. Generally, they are presented as a piece of data that looks like a legitimate element of a site, but in reality is an isolated and monitored piece of data masquerading as valuable data.

The hacker used BlueKeep to execute a cryptocurrency miner – but, as of yet, nothing like the scale of other well-known vulnerabilities has been detected, nor have any symptoms of a worm infection been observed.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com