The BlueKeep RDP vulnerability (CVE-2019-0708) is a remote code execution flaw that affects approximately one million systems (as at 29 May 2019) running older versions of Microsoft operating systems. Attention shifted to BlueKeep about two weeks ago, during Microsoft's May 2019 Patch Tuesday. Microsoft released patches but their warning that the vulnerability is wormable drew the attention of security researchers who have uncovered more concerning findings about this emerging threat.
Five Reasons To Worry About BlueKeep
1. BlueKeep is a "wormable" flaw
That means it's similar to the EternalBlue exploit that was used in ransomware attacks such as WannaCry and NotPetya. Wormable attacks are especially dangerous as they can spread automatically on unprotected systems.
2. BlueKeep primarily affects older, more vulnerable systems
Vulnerabilities that affect older systems are a double whammy for cybersecurity risk. Systems running on old operating systems are typically not well maintained by the vendor (in this case, Microsoft), or by the end user, because they're usually running legacy applications. For example Windows XP is affected, which is out of support. It is of serious concern that Microsoft felt that BlueKeep was significant enough to warrant the first Patch Tuesday release for XP in five years.
3. The nature of the vulnerability lends itself to dangerous attacks
The risk of a remote code execution vulnerability in Remote Desktop Services (RDS) is that it can be exploited by attackers, by connecting to the targeted system via the RDP (Remote Desktop Protocol) and running arbitrary code on the system. Given that RDS/RDP is involved, a proportion of the ~1 million exposed targets are likely to be high value targets such as jump boxes which are an entry point into a more valuable network.
4. Imminent threats have been detected
Reports are in that a number of threat actors are executing port scans to detect the BlueKeep vulnerability on Windows systems. These actors have been detected hiding behind dozens of TOR exit nodes, indicating that the a wave of BlueKeep-related attacks could be next. Thankfully, security researchers have not yet published any proof-of-concept exploit code for BlueKeep. However, several companies have publicly disclosed that they've successfully developed exploit code for BlueKeep, which they intend to keep private. The list includes McAfee, Kaspersky, Check Point and MalwareTech.
5. Vulnerable systems are easily discoverable
It's never been easier to find exposed hosts. Tools such as Masscan and Zmap can be used to scan the entire Internet in minutes, making it trivial for attackers to find vulnerable systems. The author of Masscan, Robert Graham of Errata Security has already published an open source scanner for BlueKeep on GitHub.
Which systems are vulnerable to BlueKeep?
The BlueKeep vulnerability affects older versions of Microsoft Windows, including:
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
- Windows Server 2008 R2
Newer versions of Windows, such as Windows 10 and Windows 8 are considered safe at this stage.
How to mitigate the risks posed by BlueKeep
Organizations that use UpGuard are able to instantly pinpoint any vulnerable machines on their network, and help answer key questions that de-risk this emerging threat:
- Are my organization's Internet-facing and internal machines exposing port 3389? Are my third-party vendors exposed?
- Is RDP running on those ports?
- Which vulnerable machines are running legacy editions of Windows, and are they patched? UpGuard have already published a policy for our customers to detect this.
- Does the machine have NLA (Network Level Authentication) enabled? These machines could still be exploitable by an attacker who has valid credentials. However, they are less vulnerable to anonymous worm-based attacks.
If your organization is looking for help with the BlueKeep RDP vulnerability, UpGuard can pinpoint and manage this threat before an attack.