Microsoft Works With Researchers To Detect and Protect Against New RDP Exploits (Nov 7, 2019)
The “BlueKeep” vulnerability (CVE-2019-0708) which allows for remote code execution in Windows Remote Desktop Services, is currently being exploited to deliver cryptominers. Discovered by security researcher Kevin Beaumont, after his honeypots started to crash and reboot, indicating blue screen of death (BSOD). Further investigation showed a PowerShell payload downloading a second PowerShell script that drops the Monero Miner. Threat actors are likely using the BlueKeep scanner, a vulnerability that allows malware to spread through connected systems without user intervention, to search for vulnerable systems that can be exploited to drop the cryptominer.
Recommendation: Security updates should be applied as soon as possible because of the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.