Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.
The flaw affects multiple in-support and out-of-support versions of Microsoft’s operating systems. You should take different actions depending on which Microsoft Operating System you have installed:
- Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected;
- Windows XP and Windows Server 2003 – Microsoft issued special updates for these two non-supported versions;
- Windows 8 and Windows 10 are not affected by the vulnerability; and
- Windows Vista – Microsoft has not released patches for, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN or upgrade to a more recent operating system.
The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.
To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with Wannacryptor.
Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.
It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.
Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.
BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.
Precautionary action to take
To sum it up, organizations and users are advised to:
- Patch, patch, patch. If you or your organization run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible.
- Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organizations to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
- Configure RDP properly. If your organization absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
- Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
- Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.
Call us for help if you are concerned on 01428 770 290.
From our friends at ESET – the security software specialists