Windows BlueKeep RDP Attacks Are Here, Infecting With Miners

upstart writes:

Submitted via IRC for soylent_red

Windows BlueKeep RDP Attacks Are Here, Infecting with Miners

The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes.

The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP).

Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots in his EternalPot RDP honeypot network started to crash and reboot. They've been active for almost half a year and this is the first time they came down. For some reason, the machines in Australia did not crash, the researcher noted in a tweet.

First details about BlueKeep being the cause of these events came from MalwareTech, who investigated the crash dumps from Beaumont's machines. He said that he "found BlueKeep artifacts in memory and shellcode to drop a Monero Miner."

According to early analysis from MalwareTech, an initial payload runs an encoded PowerShell command that downloads a second PowerShell script, also encoded. The researcher says that the final payload is a cryptocurrency miner, likely for Monero, currently detected by 25 out of 68 antivirus engines on the VirtusTotal scanning platform.

Original Submission

Read more of this story at SoylentNews.