Zero-day vulnerabilities (with their exploits) discovered and kept private by governments and their intelligence agencies are often some of the most powerful and dangerous vulnerabilities, especially when something that is meant to stay private is released to the public. Like EternalBlue before it, BlueKeep was a zero-day that the National Security Agency allegedly discovered and exploited as part of their intelligence efforts. BlueKeep was disclosed on May 14th and shortly thereafter Microsoft released a patch for it.

This critical vulnerability (CVE-2019-0708) is a flaw in Remote Desktop Protocol (RDP, Port 3389) which could allow an attacker to compromise a device and execute malicious code. If there is a silver lining, it does not affect Windows 10 operating systems, rather the vulnerability specifically impacts Windows 7, Server 2008, XP, and Server 2003. The vulnerability is so concerning that NSA issued its own advisory and Microsoft issued patches for systems that were past end-of-life. See the Microsoft advisory for specific versions that are impacted.

In 2016, the WannaCry ransomware outbreak sent shockwaves through the business world as hundreds of thousands of devices across the globe were compromised. The marrying of standard ransomware with NSA’s EternalBlue exploit supercharged the attack and allowed the ransomware to propagate across the globe in a way that we had seen or have seen since. Security experts warn that it is quite possible, even likely, that we could see another “WannaCry” in the coming weeks or months as hackers develop further exploits for the BlueKeep vulnerability and integrate them into their operations.

Even though Windows 10 is not susceptible, all it takes is one compromised device on the network to enable a wider-scale breach. Once hackers have that foothold, they can apply other techniques and tools to pivot across an internal network.

To mitigate this threat, it is imperative that organizations apply the patch to affected systems as quickly as possible. Unfortunately, many legacy systems running affected Windows versions are not able to be updated to Windows 10 or patched due to operational requirements. In the event a patch cannot be deployed, implement compensating controls. Such controls may include isolating the devices behind layers of network and security devices such as routers, firewalls, and IPSs, tightening access controls to only those that need access, disabling port 3389/RDP on the devices, and blocking all port 3389 traffic at the firewalls.

Like WannaCry before it, Microsoft has issued a patch well before the attack occurred. There is little reason – aside from negligence – for companies to fall prey to such an attack in the future. Organizations need to take this threat seriously by doing all they can to ensure their systems are secure and training and preparing their employees. Doing so will decrease the likelihood that you will be impacted when the attack is launched.

Sources:

  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
  • https://www.scmagazineuk.com/devastating-exploit-using-ticking-bomb-bluekeep-only-weeks-away/article/1587473
  • https://www.forbes.com/sites/daveywinder/2019/06/07/nsa-warns-microsoft-windows-users-update-now-or-face-devastating-damage/#5dcab3df3aa0

About Security On-Demand

Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.

  

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search