Submitted via IRC for soylent_red
Windows BlueKeep RDP Attacks Are Here, Infecting with Miners
The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes.
The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP).
Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots in his EternalPot RDP honeypot network started to crash and reboot. They've been active for almost half a year and this is the first time they came down. For some reason, the machines in Australia did not crash, the researcher noted in a tweet.
First details about BlueKeep being the cause of these events came from MalwareTech, who investigated the crash dumps from Beaumont's machines. He said that he "found BlueKeep artifacts in memory and shellcode to drop a Monero Miner."
According to early analysis from MalwareTech, an initial payload runs an encoded PowerShell command that downloads a second PowerShell script, also encoded. The researcher says that the final payload is a cryptocurrency miner, likely for Monero, currently detected by 25 out of 68 antivirus engines on the VirtusTotal scanning platform.
(Score: 5, Funny) by DannyB on Friday November 08 2019, @07:23PM (1 child)
This is why I desperately need Powershell on Linux. So that I can get updates and patches to prevent this malware!
Help me Lennart Poettering, you're my only hope!
The lower I set my standards the more accomplishments I have.
(Score: 4, Insightful) by Azuma Hazuki on Saturday November 09 2019, @12:59AM
My soul just threw up in its mouth a bit...
I am "that girl" your mother warned you about...