What is BlueKeep?

BlueKeep is the name given to a severe vulnerability that Microsoft recently identified in its Remote Desktop Protocol (RDP) service. This is being tracked under CVE-2019-0708.

The vulnerability impacts the RDP service included in older versions of the Windows OS, such as XP, 7, Server 2003, and Server 2008.

Although only older versions of Windows are affected, at the time of writing this equates to around one million devices. Devices running these older versions are exposing RDP to the internet, leaving them vulnerable to attack.

What’s the problem?

The problem is that the vulnerability can be abused remotely, and without any user interaction. It can be used to create wormable (self-replicating) exploits, allowing hackers to enable malware to spread on its own from machine to machine.

Microsoft has likened BlueKeep to the ‘EternalBlue’ exploit that fuelled the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks in 2017. The self-worming element is similar to how hackers used the EternalBlue exploit.

In practice, however, such exploits do not need to install wormable “malware” because there are so many targets for a botnet to exploit directly across the internet. In other words, why bother worming?

We think it is more likely that these vast numbers of internet-vulnerable machines will be exploited for cryptocurrency mining purposes. It is worth noting that BlueKeep could also be used to move laterally inside a target’s network, where worming (ie malware moving from device to device, via RDP, within the network) is certainly relevant.

What’s the advice?

Microsoft has strongly advised that all affected systems should be updated as soon as possible, and it has released patches to enable customers to do so.

In fact, the National Security Agency has also waded in, issuing its own advice pushing Microsoft Windows administrators to patch BlueKeep.

It is never OK (and never has been) for RDP to be exposed to the internet. BlueKeep is only one example of RDP exploits and vulnerabilities, and there are much better ways to make a Windows desktop session available remotely. Notably, however, there are over 3.5 million devices with RDP open to the internet on port 3389, and responding with the RDP protocol.

But, as above, Microsoft has also warned companies about the danger of thinking that any workstations that are not connected to the Internet are safe.

Simon Pope, Director of Incident Response at Microsoft noted that “it only takes one vulnerable computer connected to the internet to provide a potential gateway into … corporate networks, where advanced malware could spread, infecting computers across the enterprise”.

Don’t mistake silence for safety

Pope also warns companies about thinking they’re safe just because there haven’t been any attacks yet.

“This does not mean that we’re out of the woods,” he said. “It is possible that we won’t see this vulnerability incorporated into malware. But that’s not the way to bet.”

He likened this relative calm to the two months between the publication of the EternalBlue exploit and the WannaCry outbreak, which also saw limited attacks in the beginning.

Those attacks later increased rapidly, as more demo code became available and as hacker groups started to learn how to weaponise the exploit fully. EternalBlue then became one of the most popular exploits on the market, causing untold damage around the globe.

Indeed, at the time of writing there is evidence of significant botnet attention to the million exposed systems, as well as about half a million additional systems.

Remember

Don’t expose RDP directly to the internet, even with source-IP locking.

Always apply patches and updates as soon as they are released.

And speak to us today about how to get remote access without needing RDP open to the world.