On November 2, security researchers Kevin Beaumont (@GossiTheDog) and Marcus Hutchins (@MalwareTechBlog) confirmed the first in-the-wild exploitation of CVE-2019-0708, also known as BlueKeep. CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Services, was patched back in May 2019.
This weekend, Beaumont observed blue screens of death (BSODs) for his BlueKeep honeypots on November 2. Beaumont shared a kernel crash dump from his honeypots with Hutchins, who confirmed this as the first exploitation of BlueKeep in the wild. Hutchins shared his analysis in a blog post, where he identified the attackers were utilising a recently released exploit module to distribute a cryptocurrency (or “coin”) miner detected by 44% scanners on VirusTotal as of November 3.
This is the first example of attackers exploiting the BlueKeep vulnerability in the wild which should set alarm bells off for organisations that have yet to patch vulnerable systems. According to BinaryEdge, there are over 700,000 vulnerable systems that are publicly accessible – including nearly 9,000 in France, over 10,000 in Germany, over 4,500 in Australia and over 100,000 in the United States. The risks here cannot be overstated — organisations must patch their systems immediately.