What is BlueKeep?

BlueKeep is the name that has been given to a security vulnerability that was discovered earlier this year in some versions of Microsoft Windows’ implementation of the Remote Desktop Protocol (RDP).

The vulnerability was described as “wormable” by Microsoft, and users were warned that BlueKeep might be exploited in a similar fashion to how the WannaCry ransomware used the Eternal Blue vulnerability to spread widely in 2017.

Warnings about the BlueKeep vulnerability have been issued by the UK’s National Cyber Security Centre (NCSC) and United States’s National Security Agency (NSA), as well as equivalent agencies in Germany and Australia, as well as Microsoft itself.

Microsoft considered the threat posed by BlueKeep to be so serious that the software giant took the unusual step of releasing patches for no-longer supported versions of Windows such as Windows Server 2003, Windows Vista, and Windows XP.

Sounds serious. Which other operating systems are vulnerable?

The RDP functionality on Windows 7 and Windows Server 2008 (both reaching the end of their support life-cycle) is also vulnerable, and should be patched as a matter of urgency.

But didn’t this all happen a while ago?

Yes, the patches from Microsoft came out in May, and although some IT teams acted fast to secure their critical Windows systems, hundreds of thousands of other internet-connected computers remain unpatched to this day.

So what have bad guys been doing with the BlueKeep vulnerability?

For some months it seemed not much was happening. But recently an attack was seen in the wild which attempted to install cryptomining software onto RDP servers that had not been patched, and had exposed port 3389 to the internet.

You said “attempted”…

Yes, the attack – first spotted by security researcher Kevin Beaumont – caused systems to crash with the (Read more...)