Security researchers have spotted attacks utilising BlueKeep. BlueKeep is a vulnerability in older versions of Microsoft’s Remote Desktop Protocol (RDP). The error was discovered in the May 2019 Patch.

However, the biggest fear people had regarding BlueKeep does not seem to have come true for the time being. The error is ‘wormable’, which means that malware can exploit the vulnerability to replicate and spread itself. But with the first attacks, the vulnerability is not abused in this way, according to ZDNet.

Security researchers have instead detected a group of hackers using a BlueKeep demo operation, which was released by the team behind Metasploit in September. Metasploit is a framework for pen tests. This demo is now used to hack into vulnerable Windows systems and install a cryptocurrency miner.

The attack has now been carried out to scale for two weeks, but was only discovered this weekend by security expert Kevin Beaumont. Security researcher Marcus ‘MalwareTech’ Hutchins – who previously stopped the outbreak of the WannaCry-ransomware – has confirmed Beaumont’s discovery. Hutchins is considered an expert on BlueKeep.

Worst-case scenario avoided

The fact that BlueKeep was going to be abused had been coming for some time. The vulnerability was discovered in May, and in June it was already clear that criminals were scanning for the error in Windows. So, they were looking for vulnerable PCs.

In July, it turned out that over 800,000 systems were still vulnerable to BlueKeep, even though Microsoft had already released a patch for the problem on May 14th. At the end of July, a manual was published to exploit the error.

Nevertheless, the damage so far seems to be relatively small. The attack with the cryptocurrency miner is, as far as we know, the first one. And it is not a worm, as was feared. Researchers were afraid that a worm would attack on the scale of WannaCry or NotPetya.