Honeypots set up to handle exploits of the BlueKeep vulnerability in Windows have been systematically caught for the first time. However, the exploit used to attack the honeypots does not appear to be a worm, which is good news.
The honeypots are infected with a cryptominer, according to a report on Wired, which uses the computing power of targets to mine cryptocurrencies. It is not clear which currency is involved. Systems are tracked individually over the web and the malware does not spread to neighboring machines. The honeypots are from security researcher Kevin Beaumont.
Security researcher Marcus Hutchins calls it “remarkable” that a known vulnerability like this has gone untapped for so long and that the “outbreak” now remains at a fairly limited exploitation of the vulnerability. According to him, it would be a ‘low-level actor’ who uses ‘out-of-the-box pentest tools’.
The BlueKeep vulnerability is in older Windows versions, including Windows 7 and XP. This is a vulnerability in Remote Desktop Services that allows remote code execution. In the announcement, Microsoft compared the potential impact of an exploit to that of WannaCry, the disastrous ransomware that wreaked havoc in 2017 and caused Wired’s estimated $4-8 billion in damage. All in all, it seems that the campaign conducted by Microsoft, as well as the NCSC and the NSA, has paid off.