Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

BlueKeep: Havoc on the Horizon

Rapid Response: BlueKeep (CVE-2019-0708)

Colby Proffitt, Cyber Strategist and David Wolf, Principal Security Researcher | June 18, 2019

Background

The BlueKeep vulnerability was first reported by the UK’s National Cyber Security Centre (NCSC) and acknowledged by Microsoft on May 14, 2019. To be successful, the exploit must occur before authentication; however, no user interaction is required for remote attackers to execute arbitrary code on the target system. If successful, attackers can alter or delete data on the target network, install software or malware, or even alter or create new accounts with full access to anything on the network. As described by the MITRE ATT&CK framework, not only is BlueKeep a vector for Initial Access when the Remote Desktop Protocol (RDP) service is publicly exposed, but BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could rapidly spread via Lateral Movement inside enterprise networks, much like WannaCry propagated in 2017.

Following the acknowledgment of the exploit, Chaouki Bekrar of Zerodium confirmed the exploitability of BlueKeep via Twitter on May 15, stating that the “exploit works remotely, without authentication, and provides system privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug.” Two weeks later, a Denial of Service (DoS) exploit was posted, and on June 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Activity Alert, confirming that both 32- and 64-bit versions of multiple operating systems are vulnerable.

Since then, an array of cybersecurity organizations and agencies have issued alerts, warnings and mitigations, including the Department of Homeland Security (DHS), the National Security Agency (NSA) and the Australian Cyber Security Centre (ACSC); these alerts all urge Windows users to patch remote desktop services (formerly Terminal Services) on affected systems as quickly as possible.

Impact

To put the potential impact in perspective, WannaCry ransomware previously affected more than 200,000 victims across 150 countries with potential costs from the event estimated at $4 billion—and, publicly accessible security-scan data shows that many public organizations are still vulnerable and according to data generated by Shodan, there are as many as one million exposed endpoints vulnerable to WannaCry, mostly in the United States.

Another infamous exploit, NotPetya, resulted in an estimated $10 billion in total damages according to a White House assessment. Moreover, Lloyd’s of London estimates that a global cyber attack could result in an average of $53 billion in economic losses. Last year, the Council of Economic Advisers (CEA) estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.

Today, Shodan indexes more than three million endpoints with RDP exposed, and on June 6, the GoldBrute botnet was found to be aggressively scanning against more than 1.5 million exposed RDP endpoints. Given the number of endpoints, if mitigating actions are not taken immediately, it’s possible that the impact and damages will be on par with—or exceed—those resultant of the WannaCry and NotPetya attacks. What we hope, however, is that this problem will not reach the same disastrous levels as previous vulnerabilities on account of responsible disclosure and a more vigilant enterprise attitude toward cybersecurity risk.

Forecast

Attacks exploiting BlueKeep are imminent. Forescout Research expects ongoing attacks by multiple threat actors that leverage CVE-2019-0708 in their expanding exploit kits. While we have yet to see an exploit in the wild—or in headline news—it is certain that malicious actors are already developing code and campaigns to exploit the vulnerability. We expect BlueKeep exploits will be increasingly adopted by the long tail of cybercriminal operations; BlueKeep, like EternalBlue, will eventually become a common threat vector used by ransomware.

We expect the convergence of Information Technology (IT) and Operational Technology (OT) will, yet again, make Industrial Control Systems (ICS) and OT systems primary targets for exploit. OT systems that have historically been air-gapped or separated from the Internet are more frequently being connected to IT systems; yet, the products on those systems often run legacy versions of Windows and due to the nature of the environments where they reside, they’re rarely routinely patched. OT vendors may struggle with embedded Windows updates, particularly in the Healthcare, Manufacturing, and ICS-related sectors. For many OT operations, BlueKeep will remain a problem for the foreseeable future.

In our recently released Research Report, Putting Healthcare Security under the Microscope, we found that 32% of the devices in our device cloud sample were running RDP. Remote access remains key to device maintenance in OT and will remain a primary entry point for attackers. Vulnerabilities in major protocols (like RDP) will continue to leave major craters in the cybersecurity incident response timeline, like Server Message Block (SMB) (e.g., EternalBlue, WannaCry and NotPetya), Microsoft Plug-and-Play, and RDP (e.g., BlueKeep and SamSam).

Guidance & Mitigations

DHS CISA (US-CERT) recommends the following mitigations:

  • Install available patches.
  • Upgrade end-of-life (EOL) OSs.
  • Disable unnecessary services.
  • Enable Network Level Authentication (NLA).
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall.

    • Forescout Recommendations

    Multiple Forescout products can be used to help mitigate against the Microsoft BlueKeep vulnerability:

    • Security Policy Templates (SPT) v19.0.6: for both unmanaged and managed Windows endpoints, to use for grouping, policy and orchestration
    • SilentDefense: to passively detect and respond to anomalous RDP scans, based on traffic towards the target
    • Windows Vulnerability DB 19.0.5: for managed Windows endpoints, to address software patching

    Current Forescout customers can visit our Community and Knowledge Base to discuss BlueKeep, download the latest VR BlueKeep Security Policy Template (SPT), or contact Forescout Support at [email protected]. This sample security policy template demonstrates how to extend Forescout capabilities to control unmanaged Windows devices via agentless mitigation in response to to BlueKeep / CVE-2019-0708. For technical requirements on this Vulnerability Response, consult the SPT Release Notes and Plugin Help File.

    UPDATE – July 29: BlueKeep has remained an ongoing source of updates for cybersecurity practitioners everywhere. Forescout’s response to inevitable attack via BlueKeep exploit include commentary and product content updates:

Demo Request Forescout Platform Top of Page