Microsoft warns users to stay alert for more BlueKeep attacks

Microsoft: BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.
Written by Catalin Cimpanu, Contributor

Microsoft's security team believes that more destructive BlueKeep attacks are on the horizon and urges users and companies alike to apply patches if they've been lagging.

The company's warning comes after security researchers detected the first-ever malware campaign that weaponized the BlueKeep vulnerability.

The attacks, which were detected last weekend, used BlueKeep to break into unpatched Windows systems and install a cryptocurrency miner.

Many security researchers considered the attacks underwhelming and not living up to the hype that was built around BlueKeep for the past six months.

This was because Microsoft said BlueKeep could be used to build wormable (self-spreading) malware. However, the attacks that happened over the weekend did not deploy malware that could spread on its own.

Instead, attackers scanned the internet for vulnerable systems and attacked each unpatched system, one at a time, deploying a BlueKeep exploit, and then the cryptocurrency miner.

This was far from the self-spreading malware outbreak that Microsoft said BlueKeep could trigger. Furthermore, in many cases, the BlueKeep exploit failed to work, crashing systems.

But Microsoft says this is just the beginning, and that attackers will eventually refine their attacks, and that the worst is yet to come.

"While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners," Microsoft said today. "We cannot discount enhancements that will likely result in more effective attacks."

Now, Microsoft is warning and urging users to apply patches -- for the third time this year.

"Customers are encouraged to identify and update vulnerable systems immediately," the company said. "Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised."

The BlueKeep lowdown

Because there's been a flood of BlueKeep-related coverage this year, below is a summary of what you need to know. Just the essentials:

A brief history of Microsoft's Surface: Missteps and successes

Editorial standards