On November 2, security researchers Kevin Beaumont (@GossiTheDog) and Marcus Hutchins (@MalwareTechBlog) confirmed the first in-the-wild exploitation of CVE-2019-0708, also known as BlueKeep. CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Services, was patched back in May 2019.
This weekend, Beaumont observed blue screens of death (BSODs) for his BlueKeep honeypots on November 2. Beaumont shared a kernel crash dump from his honeypots with Hutchins, who confirmed this as the first exploitation of BlueKeep in the wild. Hutchins shared his analysis in a blog post, where he identified the attackers were utilising a recently released exploit module to distribute a cryptocurrency (or “coin”) miner detected by 44% scanners on VirusTotal as of November 3.