BlueKeep. A Looming Threat.

What it is

BlueKeep (CVE-2019-0708) is the name given to a vulnerability within the Microsoft Remote Desktop Protocol (RDP).

Why its important

The vulnerability has been shown to allow for Remote Code Execution (RCE), effectively giving an unauthenticated attacker complete control over an affected device.

Lessons From Recent History

The WannaCry ransomware attack in 2017 demonstrated the damage a single vulnerability could cause to organisations throughout the world. This one vulnerability affected more than 200,000 devices across 150 countries with total business costs estimated to be within the hundreds of millions.

WannaCry exploited another vulnerability in Microsoft, known as EternalBlue (CVE-2017-0144) and was designed to compromise a device, upload itself to the device and then search for more devices to compromise. This allowed WannaCry to propagate from an internet-borne ransomware attack to a threat facing an organisations entire internal network.

WannaCry was an untargeted, automated ransomware attack, in that no individual or group was specifically targeted for compromise. The attack began by searching for any devices which could be compromised and propagated itself from there. Those affected were the unfortunate victims of an automated attack who had not taken the necessary steps to secure themselves.

A Looming Threat

BlueKeep is considered to be a threat facing organisations across the world on a scale similar to WannaCry. With security advisories issued by the U.S. National Security Agency and Microsoft, as well as security patches created for operating systems no longer supported, the looming threat of this vulnerability should be taken to heart by every organisation.

The only saving grace for organisations so far, has been the complexity required in developing a working exploit for this vulnerability, however, this is unlikely to last. Several individuals and groups have already developed working exploits for the BlueKeep vulnerability, choosing to keep their work private due to the damage which could be caused if the exploit code is made public.

However, an increasing amount of step by step guides on how to develop a working exploit have been making their way into the public domain and recently a fully developed, working exploit has been released within the licensed toolkit known as “CANVAS”.

Attacks exploiting this vulnerability are largely considered to be imminent within the security industry, and recently conducted scans estimate that over 800,000 devices are still facing the internet which are vulnerable.

What you can do

There are two main steps which should be taken in order to combat this threat:

Apply The Patch

The patch issued by Microsoft needs to be applied as soon as possible. Patches have been issued for the multiple versions of the Windows operating system which Microsoft provide, including no longer supported devices, and the installation of this patch should be applied to each of your devices, both those facing the Internet and those designed for Internal use.

The prospect of an attack utilising the BlueKeep vulnerability being self-propagating, such as the WannaCry ransomware attack, means that all devices, not just those facing the internet, should have the patch applied to prevent the potential spread of compromised devices.

Disable Remote Desktop Protocol (RDP)

Any devices which have RDP exposed to the internet should have restrictions put in place to prevent the service from being accessible. Where remote access to devices is necessary, the recommended method of access is to first VPN into an internal network, from this position your chosen method of device management can be utilised.

This enables you to maintain minimal exposure of services to the internet but still allows for remote management of your network to be conducted.

Additional Mitigation

One additional recommended method of mitigation is to enable Network Level Authentication (NLA). Although, it should be stressed that this does not remove the vulnerability from a device, it instead configures the device to require valid credentials to be provided before an RDP session is established. Although this configuration is recommended, it should not be thought of as a complete solution to the BlueKeep vulnerability and other recommended remediation measures should be applied.

To limit any potential impacts and the possible spread of affected devices, configure Internal network restrictions for accessing the RDP service. This also, should not be considered as a solution to the BlueKeep vulnerability; however, it can be good security practice to minimise the number of services which are accessible throughout your network. Limiting access to the RDP service can help to reduce the potential spread of affected devices should any one device become compromised.

Verify

Check, recheck and check again to make sure your devices have the patch applied. It is often the case that individual devices are overlooked, neglected, forgotten about or missed as part of a patching cycle. Even with systems in place such as Windows Server Update Service (WSUS), devices can still be missed within a patching cycle, and errors in patch reports can lead to a false sense of security.

Working within the security sector, it is still a commonplace occurrence to see devices within an organisations internal network which are affected by the EternalBlue vulnerability and have gone unnoticed for the last two years.

To ensure this doesn’t happen to you and all your devices are up to date and configured correctly look at setting up regular assessments and scanning tools to verify that your systems are secured and safeguarded against the latest emerging threats.

If at all in doubt regarding what to do, or the state of security of your systems, contact any member of our team at Precursor Security for advice and further information.

Andrew Lugsden