First “BlueKeep” Exploit Has Just Been Spotted in the Wild

Written by Bill Toulas
Last updated September 23, 2021

After we were warned about the real possibility of seeing BlueKeep getting weaponized in July, and after Metasploit published a working exploit in September, the first actual exploit that roams the wild has just been spotted. According to the researchers that first discovered it, this is the attempt of an amateur actor, so it is not exactly a menace in the IT world. However, this is just the first-ever recorded attempt, reminding us of the significance of patching, as well as the fact that there are about 300,000 critical systems that remain vulnerable even though Microsoft fixed CVE-2019-0708 many months ago.

Researcher Kevin Beaumont was among the first to discover the exploit after his EternalPot RDP honeypots got the blue screen of death. Upon further analysis, the purpose of the exploit was found to be the dropping of a Monero miner. The initial payload features encoded PowerShell commands that set a series of malicious code executions in motion. The XMR malware is finally mining Monero, generating revenue for the actors by using the computational resources of the infected systems.

This is a pretty degraded approach to have on a wormable exploit, and it is, of course, the only good news in the story. This first BlueKeep exploit isn’t self-spreading or aggressively propagated. The attackers are scanning the net to find exploitable targets and then infect them specifically. That said, it’s nothing like the WannaCry-style risk that the researchers have been warning about so far. This means that vulnerable systems that aren’t connected to the internet are safe for now, but it doesn’t mean that the situation will stay like that forever. Malicious actors and people with deeper knowledge than those who created this first exploit are bound to deliver a more sophisticated blow soon.

Right now, the things that you can do if an update is out of the question are to disable the RDP services, block port 3389, and enable Network Level Authentication (NLA). If you have been delaying the patching thus far, thinking that there are no working exploits out there, this is obviously the time to reconsider the notion. The existing exploit may not be staggering, but it serves as a proof and reminder of the dangers of BlueKeep.

Have something to comment on the above? Feel free to share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: