BlueKeep: We’re Watching

by | Mar 13, 2020

The BlueKeep vulnerability (CVE-2019-0708) was identified in Microsoft’s Remote Desktop Protocol in May of 2019. This vulnerability, although only present in older versions of Windows is particularly concerning to enterprises because RDP is exposed to the internet much more frequently than an internal windows protocol like SMB, which should never be exposed to the internet. In early September, the Metasploit Framework released an initial exploit module.  Since the Metasploit Framework is widely used and distributed in the security (and hacking) community, it is considered a lowest common denominator and this release prompted some notable researchers to release analyses they’d withheld since shortly after the CVE was published.

These releases make it all the more urgent for businesses to make sure their assets are properly inventoried and patched. The vulnerability affects older versions of Windows (7 and prior, Server 2008 R2 and prior) without Network Level Authentication enabled. While these may seem old, often these operating systems are used to run critical systems such as hospital IT where patching, updating, and downtime are serious concerns. Furthermore, according to data from Shodan, over 350 thousand devices are still vulnerable to being exploited. Since the vulnerability may be “wormable,” these should be patched, including hosts that aren’t internet exposed. Despite the security community generally withholding information on how to weaponize the vulnerability throughout the summer of 2019, and only one publicized campaign using the vulnerability, it should be assumed that actors have and will continue to use this vulnerability for targeted or internal attacks that may go unnoticed.

If attackers were able to systematically exploit BlueKeep, we could face a cyber event on par with WannaCry was in 2017. Even in absence of worming activity, targeted compromises using vulnerabilities such as BlueKeep can serve as a gateway into organizations, enabling data theft and even high-priced ransomware attacks. This has become an extremely lucrative modus operandi for some threat actors such as those behind the Ryuk and Sodinokibi ransomware. Individual business could face substantial business interruption and/or data breach costs.

For context, Shodan identifies about 13 thousand devices on the internet that still have the MS17-010 vulnerability, which was widely exploited in the May 2017 WannaCry attacks. The highest rates of unpatched devices are in Russia, Ukraine, and Taiwan. Unlike the BlueKeep vulnerability, devices in South Korea, Hong Kong, and China seem to have been patched with respect to MS17-010.

At Resilience Insurance, we are constantly monitoring the threats that BlueKeep and other vulnerabilities pose to our customers. In the past few months, we’ve seen the number of devices on the internet that have the BlueKeep vulnerability decline over 30%, from ~550k to ~350k vulnerable hosts.  Much of this change has happened in China via Telecoms such as Tencent and China Telecom.  American telecoms and hosting providers have exhibited some counter-intuitive trends since October: most have steadily decreased the number of vulnerable hosts, likely due to patching and removing of old devices.  However, in the last month, there has been an significant uptick in vulnerable hosts in AWS, possibly due to deployment of honeypots by security companies and researchers.

graph comparing providers and Amazon has the highest vulnerabilities

To mitigate the impact of BlueKeep, enterprises should follow the guidance in the National Security Agency’s advisory from summer 2019:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
  • Apply patches, including patches for older operating systems: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708