Almost nearly six months of warnings that Microsoft Windows users must patch the critical Remote Desktop Protocol vulnerability known as BlueKeep, researchers finally have detected the first known attempt at a large-scale attack aimed at exploiting his remote code execution flaw.

Since last May, security experts have expressed concern that a BlueKeep exploit attack could lead to a major worm attack like the 2017 WannaCry and NotPetya incidents. Fortunately, this recently observed malicious activity has so far fallen short of their worst fears. In this case, the attackers are attempting to infect users with only a cryptominer, rather than a ransomware or destructive disk wiper program. And instead of attempting to spread the malware like a worm, the perpetrators have simply been scanning the internet for computers vulnerable to BlueKeep.

Researcher Kevin Beaumont, who is credited for naming BlueKeep, initially detected the activity via his honeypots that monitor TCP port 3389, which is used by the Windows Remote Desktop protocol. As of Oct. 23, the honeypots began crashing with a Blue Screen of Death and would subsequently reboot. "Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity," said Beaumont in a blog post. (See Beaumont's corresponding tweets here.)

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.