Microsoft warns companies to patch BlueKeep vulnerability again
Microsoft again warns companies about the BlueKeep vulnerability. The software giant is doing this after it turned out that the vulnerability was actively being exploited to install a coinminer. Microsoft has had a patch available for months.
The leak that Microsoft warns about has been known for months. BlueKeep is a remote code execution bug in Remote Desktop Services in Windows 7, Windows Server 2008 and 2008 R2. The vulnerability is very similar to the bug that major ransomware attacks like WannaCry exploit. That is why there is great fear that BlueKeep could also cause major damage to companies. It’s not the first time Microsoft has warned against BlueKeep. It previously did this together with the National Cyber Security Center.
Until recently, however, the vulnerability has not been exploited on a large scale. Last week it was announced that the first BlueKeep infections came in on honeypots. Microsoft is now confirming that. The company has collaborated with, among others, security researcher Marcus Hutchins. Also known as MalwareTech, he is the researcher who stopped WannaCry. So far, Microsoft says the RDP vulnerability has only been exploited to install coinminers.
The company has seen an upward trend in the number of attacks since a Metasploit module for the vulnerability was released last month. The attacks are particularly striking in Western European countries such as France, Spain, Germany and Italy, but also in Russia and Ukraine. The vulnerability that is now being exploited regularly causes the remote desktop protocol to crash. If the attack is successful, the cryptominer will be installed via PowerShell, Microsoft writes.
Microsoft also warns again that companies must implement the available patch to prevent that. That patch for the bug, code CVE-2019-0708, has been available since March of this year. However, many companies have not yet implemented it. Companies vulnerable to BlueKeep should generally hurry up with upgrades: the vulnerability only affects Windows 7 and older versions of Windows Server, which will no longer be supported in two months.