BlueKeep is back. For now, attackers are just using it for cryptomining

The hacking has finally begun, and so far, it’s gone off with a whimper, not a bang.

For months, cybersecurity analysts have sounded the alarm about a serious vulnerability in old Microsoft operating systems that, if exploited, could infect computers around the world.

The hacking has finally begun, and so far, it’s gone off with a whimper, not a bang.

Over the weekend, a security researcher who maintains “honeypots,” or simulated environments to trap malicious activity, reported a spike in attacks exploiting the Remote Desktop Protocol vulnerability, known as BlueKeep. But rather than anything “wormable” that can spread from machine to machine, this appears to be a case of opportunists scanning the internet to infect computers for monetary gain. Researchers had warned that BlueKeep could enable outsiders to execute remote code on a compromised machine.

Kevin Beaumont, the researcher who gave BlueKeep its name, reported that nearly all of his honeypots had been hit by attackers exploiting the vulnerability. Hackers appear to be using the exploit to try to install a cryptocurrency miner, Beaumont noted, which would allow them to generate virtual cash.


“This has been going on for weeks now and shows no signs of stopping,” Beaumont said.

Rather than taking remote control of the machines, the attackers are causing them to crash.

“It seems likely that a low-level actor scanned the internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities,” said Marcus Hutchins, a researcher at Krpytos Logic who worked with Beaumont to track BlueKeep.

While a nuisance, cryptomining is not what researchers feared when BlueKeep emerged in May. Organizations from Microsoft itself to the Department of Homeland Security urged users to patch for the vulnerability because, like the flaw exploited by the 2017 WannaCry virus, BlueKeep is wormable. That means that malware abusing it can cascade across unpatched systems.

WannaCry spread to over 200,000 machines in 150 countries, costing Britain’s National Health Service alone more than $100 million. Concerns about a repeat have motivated researchers to write their own BlueKeep exploits to warn organizations of the danger. The number of devices affected by this scanning activity was not immediately clear.


Chief information security officers trying to protect enterprise networks previously told CyberScoop they saw an influx of scanning activity around BlueKeep as soon as a proof-of-concept was made public.

Following the spike in activity in recent days, BlueKeep watchers urged computer users not to take the lack of a serious worm for granted.

“Right now, we do not see any indication of a widespread worm at play. However, that could happen at any moment,” Craig Williams, director of outreach at Cisco’s threat intelligence team, Talos, said in an email to CyberScoop. “Users need to patch immediately or apply remediation strategies to unpatched systems to prevent exploitation.”

“A widespread worm gets a lot of attention and creates quite a bit of damage. Often these are things criminals do not want,” Williams added. “Attention, especially from law enforcement, is something they try to avoid.”

The high stakes may be why we still haven’t seen BlueKeep exploited on the scale that many feared.


“One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first,” Hutchins said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts