Last month Microsoft reported a critical vulnerability in the remote access tool - Remote Desktop Protocol (RDP), offering a potential wormable route into computer networks across the globe. Dubbed ‘BlueKeep’, the vulnerability applies to legacy Microsoft systems Windows XP,7, 2003 and 2008.
Microsoft has released a security patch for the vulnerability (CVE-2019-0708).
It’s not just theoretical
A researcher has developed a module for the penetration testing framework Metasploit, demonstrating a proof of concept BlueKeep exploit to gain local admin access over the victims system. To protect unpatched machines, the module has not been released publicly – but malicious actors are likely to develop an exploit themselves. Due to the seriousness of the threat and the impact of the vulnerability, the likelihood of an attack on an unpatched system is just a matter of time.
Organisations and individuals should patch now to protect themselves.
The situation could prove similar to the WannaCry attacks of May 2017, which cost the NHS alone an estimated £92m. Despite a patch being released for the vulnerability, many organisations did not install it leading to a worldwide cyber-attack with around 200,000 victims. Surprisingly – two years on and about 1.7m devices are still thought to be at risk from WannaCry.
WannaCry was preventable – and so is this
With such widespread inaction to the warnings over WannaCry, concerns have been raised over the speed at which BlueKeep is being addressed. Three weeks after the patch was released, a security researcher has identified at least 900,000 vulnerable machines (the actual figure is likely a lot higher), with the figure decreasing by just 1,000 in a 48 hour time frame. This slow patching could be poor awareness outside the cyber community, or a lack of understanding of BlueKeep’s severity. But these things escalate quickly and it’s important to act now.
To urge people to take action, Microsoft has twice asked users to patch their systems. The US National Security Agency (NSA) has also got in on the act and released a security alert, listing key measures to take in addition to patching (see below). Help spread the word – a BlueKeep attack is preventable and its time to apply the lessons learned from WannaCry.
In order to increase resilience against this threat while large networks patch and upgrade, there are additional measures that can be taken: - Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. - Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication. - Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.