Why You Need to be Careful About the BlueKeep Vulnerability
WannaCry, the ransomware that struck in 2017, shook the very foundations of thousands of businesses worldwide. The NotPetya attack that followed also caught many businesses unawares and dealt them a big blow. Well, if we’re not careful enough, another such devastating cyberattack could happen in the near future, thanks to a critical vulnerability named BlueKeep.
It was the EternalBlue exploit, patch for which was issued by Microsoft and which many users, including thousands of organizations worldwide, had failed to apply on time, that led to the occurrence of two of the most damaging cyberattacks in recent times- the WannaCry attack and the NotPetya attack. Remember, it was not the EternalBlue exploit as such that caused the attacks, but failure on the part of users and enterprises to patch the vulnerability on time that was the real reason. Now, we have reports of another vulnerability, a ‘wormable’ critical RCE (Remote Code Execution) vulnerability named BlueKeep that, if not taken care of, could lead to damaging cyberattacks.
Microsoft had already come up with a patch for the BlueKeep vulnerability for all supported, plus some unsupported, operating systems. All that companies (and individual users) need to do is to update their older Windows systems right away so as to avoid being one among the potential victims of a probable cyberattack.
Experts point out that the BlueKeep vulnerability, found in Remote Desktop Services (also known as Terminal Services), could enable, if exploited successfully by cybercriminals, access to any targeted Windows system via a backdoor, that too without any credentials or user interaction. Moreover, the vulnerability is ‘wormable’, which means that future exploits might even use the vulnerability to spread malware within or outside of computer networks almost in the same way as was done in the case of the WannaCry ransomware attacks.
The flaw- CVE-2019-0708- affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Those users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 who have enabled automatic updates would stay protected. Special updates have also been issued for two versions that are not supported, namely Windows XP and Windows 2003. It’s reported that Windows 10 and Windows 8 are not affected by the BlueKeep vulnerability. Though Windows Vista is also one among the affected OSs, Microsoft hasn’t released patches for it. Users of Windows Vista should, in order to resolve the issue, either disable RDP (Remote Desktop Protocol) completely or else use RDP only when it’s accessed via VPN.
After Microsoft released the patches, security researchers have created several working proofs-of-concept, but none of them have yet been publicly released. There is no proof of the vulnerability being exploited in the wild as of yet.
Remember, given the wormable nature of BlueKeep, if someone publishes a working exploit or some malware author sells one on the underground web, a situation almost similar to the WannaCry or NotPetya attack could arise. Even the rather less skilled among cybercriminals could make use of the exploit to unleash cyberattacks on computer networks and make profits out of it.
How to avoid being a victim of the BlueKeep exploit
There are some very simple things that could help prevent attacks that could happen by exploiting the BlueKeep vulnerability…
- If you or your organization runs any of the supported versions of Windows, update it. Enabling automatic updates would be the best option. Download and apply patches immediately if you’re still using unsupported versions- Windows XP or Windows 2003.
- Avoid RDP and use it only where it is needed.
- If you must use RDP, configure it properly and don’t expose it to the public internet. Filtering RDP access using firewall or using multi-factor authentication could be good options.
- Disabling RDP, until you apply the patches that Microsoft has released, would be good.
- It would be good to have NLA (Network Level Authentication) enabled. Thus, authentication would be needed before a remote session is established. (Remember, despite this, attackers who have valid credentials can successfully authenticate remote sessions and carry out RCE exploit-based attacks).
- Use trusted multi-layered security solutions to detect and prevent attacks on the network level.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.