BlueKeep (CVE 2019-0708) a critical remote code execution vulnerability spotted in the wild

security researchers Kevin Beaumont (@GossiTheDog) and Marcus Hutchins (@MalwareTechBlog) confirmed the first in-the-wild exploitation of CVE-2019-0708, also known as BlueKeep.

CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Services, was patched back in May 2019. Beaumont subsequently setup BlueKeep honeypots to keep tabs on global in-the-wild exploitation attempts of the flaw. Honeypots are bait machines used by security researchers to catch exploit attempts. Over the weekend, Beaumont observed blue screens of death (BSODs) for his BlueKeep honeypots on November 2. Hutchins shared his analysis in a blog post, where he identified the attackers were utilizing a recently released exploit module to install a cryptocurrency miner, detected by 44% scanners on VirusTotal as of November 3.

“This is the first example of attackers exploiting the BlueKeep vulnerability in the wild which should set alarm bells off for organizations that have yet to patch vulnerable systems. According to BinaryEdge, there are over 700,000 vulnerable systems that are publicly accessible, including over 8,000 in India. The risks here cannot be overstated – organizations must patch their systems immediately,” said Satnam Narang, Senior Research Engineer, Security Response at Tenable.