BlueKeep – protect against the next ransomware attack

Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.

The flaw affects multiple in-support and out-of-support versions of Microsoft’s operating systems. You should take different actions depending on which Microsoft Operating System you have installed:

  • Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected;
  • Windows XP and Windows Server 2003 – Microsoft issued special updates for these two non-supported versions;
  • Windows 8 and Windows 10 are not affected by the vulnerability; and
  • Windows Vista – Microsoft has not released patches for, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN or upgrade to a more recent operating system.

The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.
To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with Wannacryptor.
Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.

It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.
Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.
BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.

Precautionary action to take

To sum it up, organizations and users are advised to:

  1. Patch, patch, patch. If you or your organization run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible.
  2. Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organizations to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
  3. Configure RDP properly. If your organization absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
  4. Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
  5. Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.

Call us for help if you are concerned on 01428 770 290.

From our friends at ESET – the security software specialists

About Us

We provide supportive leadership enabling our business community to succeed and prosper through effective use of IT and Technology. PAAC IT is an IT Company in Surrey offering small businesses the personal attention and care that their IT systems deserve. If your company has between 1 and 100 employees and need a IT Company in Surrey we would love to hear from you!

Find out more
"PAAC IT provide a managed service for our PCs on a fixed monthly charge. Really great, they are there when we need them"
Julia Macquisten - OwnerLucas Field Media
"PAAC-IT provide and maintain our Apple Macs and Macbook Pros. Richard and his team at PAAC IT are very prompt and responsive when we need help, and a pleasure to work with"
David Alden - DirectorAlden Holmes
"Our business is highly dependent on computer technology – all the way from design and creative software platforms to administration processes. PAAC-IT set up and configured our mix of PC and Apple computers, file servers and security software and now keep it running. The team at PAAC-IT is very competent and keep our IT running smoothly"
Edward Green - DirectorMilly Green
"I was having trouble making Skype calls to my son. Both Darren and Connor were extremely helpful and patient. They were so kind to get the computer in and out of the car for me - i couldn't have done this on my own as i am disabled"
Jane Nightingale
"On moving house we required help of PAAC to coordinate a tablet, PC and laptop with new security and email addresses and to ensure transfer of old contact details etc. Some of this work was undertaken by Darren in the Midhurst shop and some at our new address. Darren was professional and helpful with successful results. PAAC also followed up with care to ensure that all was well. "
A satisfied customer
"I have been dealing with PAAC IT, mostly in their Midhurst Office, but also in Haslemere, for the past three or four years. They clearly understand Macs and have given me good advice, and sorted out various issues for me. Things did go wrong with the network wireless adapters I had bought from them, but they were quick to ensure they were checked and replaced without a problem, and they followed up with me a month later to ensure all was OK. That’s good customer service!"
James Tree
"Dynamite, goes the extra yard every time, reliable and essential support to my business."
Lawrence MullenThe Talking Trade
"Good, dependable, brilliant, local"
Anneke Clegg
"I have been using the services of PAAC IT for over two years. During this time I have found the staff to be courteous, understanding, and very efficient. I have received first class service on each and every occasion – from keeping my ancient computer running, to advising and supplying a suitable replacement when it eventually crashed. All my transactions have been with the team in the Haslemere shop where Richard, Mark, Darren and Oliver have addressed my computer difficulties with great patience and kindness. To them I am eternally grateful."
Derek Smyth