BlueKeep – protect against the next ransomware attack

BusinessCyber Security | 27 May, 2019 by Richard Paterson

Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.

The flaw affects multiple in-support and out-of-support versions of Microsoft’s operating systems. You should take different actions depending on which Microsoft Operating System you have installed:

Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected;
Windows XP and Windows Server 2003 – Microsoft issued special updates for these two non-supported versions;
Windows 8 and Windows 10 are not affected by the vulnerability; and
Windows Vista – Microsoft has not released patches for, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN or upgrade to a more recent operating system.

The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.
To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with Wannacryptor.
Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.

It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.
Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.
BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.

Precautionary action to take

To sum it up, organizations and users are advised to:

Patch, patch, patch. If you or your organization run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible.
Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organizations to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
Configure RDP properly. If your organization absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.

Call us for help if you are concerned on 01428 770 290.

From our friends at ESET – the security software specialists

Cookie	Type	Duration	Description
_abck	1	11 months 29 days 23 hours 59 minutes	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
bm_sz	1	3 hours 59 minutes	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
IDE	1	1 years 23 days 23 hours 59 minutes	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	1	5 months 29 days 23 hours 59 minutes	This cookie is used to a profile based on user's interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	1	5 months 26 days 23 hours 59 minutes	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Type	Duration	Description
_ga	1	1 years 11 months 28 days 23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	1	29 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
vuid	1	1 years 11 months 28 days 23 hours 59 minutes	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

BlueKeep – protect against the next ransomware attack

Precautionary action to take

About Us

Services