View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 4, 2019

BlueKeep Malware Lands, Spawns, Vanishes Abruptly

"At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep metasploit module!"

By CBR Staff Writer

When the British government alerted Microsoft in May to a critical wormable bug – which security researchers dubbed BlueKeep – in its Windows operating system, the company scrambled to push out an urgent patch.

Although Windows 8 and Windows 10 were unaffected by the security flaw, Windows 7, Windows Server 2008 R2, and Windows Server 2008 were among those that were vulnerable. Security experts feared a repeat of 2017’s WannaCry attacks: the vulnerability is pre-authentication and requires no user interaction, meaning any malware developed that exploited the issue could potentially propagate freely, spawning across tens of thousands of exposed machines.

Read this: Microsoft Credits NCSC for Critical Bug Find, Pushes Out Unusual Patch

Security researchers watched with bated breath (and tried to work out how an exploit worked: the original report didn’t come with a handy proof-of-concept) for malware using the vulnerability to start propagating. The vulnerability “may have set the stage for the worst malware attack in years” as reporters wrote.

Nothing happened.

BlueKeep Malware Finally Emerges

That just changed.

Security researcher Kevin Beaumont – who originally coined the nickname “BlueKeep” – had quickly used Azure Sentinel with Microsoft Sysmon to build a series of honeypots (“BluePot”) to capture any BlueKeep-based attacks, after more details on the vulnerability emerged.

They had, until now, he notes, been “eerily quiet”.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

On Sunday the Manchester-based researcher, who runs, wrote that the first signs of something being awry came when one of his honeypots crashed and rebooted on October 23.

“Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity. On 2nd November 2019 I finally realised what was happening, as my Azure Log Analytics bill had issues and I wanted to know what was happening, so logged in to Azure Sentinel…”

After realising what might be happening, he sent a crash dump to security researcher Marcus Hutchins (of WannaCry-thwarting fame) for analysis.

The attacks did indeed bear the hallmark of BlueKeep, he found.

But amidst all the hype and with all the attention of security researchers on the vulnerability, the payload of the attack turned out to be somewhat banal: it was a miner of the crypto coin Monero. (Beaumont says that pretty much as soon as he wrote about the attacks, they dried up outright, as someone got cold feet).

Hutchins, in his technical write-up on the malware, noted: “It’s curious that [BlueKeep] took this long to get detectably weaponized. One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved.

He added: “Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios.

“Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities.”

Read this: Here’s How GCHQ Decides When to Sit on a Vulnerability… 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.