Security researcher Kevin Beaumont reported on 2nd November that his BlueKeep detector experienced crashes and was likely being exploited. Microsoft then contributed with Beaumont to analyze these crashes and confirmed that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework. The Microsoft Defender Advance Threat Protection research team noticed an increased RDP service crashes( from 10 to 100 daily) starting on 6 September, an increase in memory corruption crashes starting on 9 October and spotted crashes on external researcher honeypots since 23 October.
In September, the security Research team from Microsoft noticed an earlier coin mining campaign. The main implant used in campaign to contact command-and-control infrastructure, that was used during the October BlueKeep Metasploit campaign. In these cases, exploit did not cause the system to crash but was installing a coin miner. The machine learning models found that France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries were affected by this coin mining campaign.
Bluekeep is an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. It has been labeled as CVE-2019-0708. This vulnerability is wormable so it can spread malware from one system to another with any user interaction. Microsoft security team had released a patch for this vulnerability on May 14, 2019.
Microsoft security team used Twitter to warn users of this vulnerability and they have urged users to update their old security with the patch. Here is the full report from Microsoft.