BlueKeep: Havoc on the Horizon
Rapid Response: BlueKeep (CVE-2019-0708)
Background
The BlueKeep vulnerability was first reported by the UK’s National Cyber Security Centre (NCSC) and acknowledged by Microsoft on May 14, 2019. To be successful, the exploit must occur before authentication; however, no user interaction is required for remote attackers to execute arbitrary code on the target system. If successful, attackers can alter or delete data on the target network, install software or malware, or even alter or create new accounts with full access to anything on the network. As described by the MITRE ATT&CK framework, not only is BlueKeep a vector for Initial Access when the Remote Desktop Protocol (RDP) service is publicly exposed, but BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could rapidly spread via Lateral Movement inside enterprise networks, much like WannaCry propagated in 2017.
Following the acknowledgment of the exploit, Chaouki Bekrar of Zerodium confirmed the exploitability of BlueKeep via Twitter on May 15, stating that the “exploit works remotely, without authentication, and provides system privileges on Windows Srv 2008, Win 7, Win 2003, XP. Enabling NLA mitigates the bug.” Two weeks later, a Denial of Service (DoS) exploit was posted, and on June 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Activity Alert, confirming that both 32- and 64-bit versions of multiple operating systems are vulnerable.
Since then, an array of cybersecurity organizations and agencies have issued alerts, warnings and mitigations, including the Department of Homeland Security (DHS), the National Security Agency (NSA) and the Australian Cyber Security Centre (ACSC); these alerts all urge Windows users to patch remote desktop services (formerly Terminal Services) on affected systems as quickly as possible.
Impact
To put the potential impact in perspective, WannaCry ransomware previously affected more than 200,000 victims across 150 countries with potential costs from the event estimated at $4 billion—and, publicly accessible security-scan data shows that many public organizations are still vulnerable and according to data generated by Shodan, there are as many as one million exposed endpoints vulnerable to WannaCry, mostly in the United States.
Another infamous exploit, NotPetya, resulted in an estimated $10 billion in total damages according to a White House assessment. Moreover, Lloyd’s of London estimates that a global cyber attack could result in an average of $53 billion in economic losses. Last year, the Council of Economic Advisers (CEA) estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
Today, Shodan indexes more than three million endpoints with RDP exposed, and on June 6, the GoldBrute botnet was found to be aggressively scanning against more than 1.5 million exposed RDP endpoints. Given the number of endpoints, if mitigating actions are not taken immediately, it’s possible that the impact and damages will be on par with—or exceed—those resultant of the WannaCry and NotPetya attacks. What we hope, however, is that this problem will not reach the same disastrous levels as previous vulnerabilities on account of responsible disclosure and a more vigilant enterprise attitude toward cybersecurity risk.
Forecast
Attacks exploiting BlueKeep are imminent. Forescout Research expects ongoing attacks by multiple threat actors that leverage CVE-2019-0708 in their expanding exploit kits. While we have yet to see an exploit in the wild—or in headline news—it is certain that malicious actors are already developing code and campaigns to exploit the vulnerability. We expect BlueKeep exploits will be increasingly adopted by the long tail of cybercriminal operations; BlueKeep, like EternalBlue, will eventually become a common threat vector used by ransomware.
We expect the convergence of Information Technology (IT) and Operational Technology (OT) will, yet again, make Industrial Control Systems (ICS) and OT systems primary targets for exploit. OT systems that have historically been air-gapped or separated from the Internet are more frequently being connected to IT systems; yet, the products on those systems often run legacy versions of Windows and due to the nature of the environments where they reside, they’re rarely routinely patched. OT vendors may struggle with embedded Windows updates, particularly in the Healthcare, Manufacturing, and ICS-related sectors. For many OT operations, BlueKeep will remain a problem for the foreseeable future.
In our recently released Research Report, Putting Healthcare Security under the Microscope, we found that 32% of the devices in our device cloud sample were running RDP. Remote access remains key to device maintenance in OT and will remain a primary entry point for attackers. Vulnerabilities in major protocols (like RDP) will continue to leave major craters in the cybersecurity incident response timeline, like Server Message Block (SMB) (e.g., EternalBlue, WannaCry and NotPetya), Microsoft Plug-and-Play, and RDP (e.g., BlueKeep and SamSam).
Guidance & Mitigations
DHS CISA (US-CERT) recommends the following mitigations:
- Install available patches.
- Upgrade end-of-life (EOL) OSs.
- Disable unnecessary services.
- Enable Network Level Authentication (NLA).
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall.
- Security Policy Templates (SPT) v19.0.6: for both unmanaged and managed Windows endpoints, to use for grouping, policy and orchestration
- SilentDefense: to passively detect and respond to anomalous RDP scans, based on traffic towards the target
- Windows Vulnerability DB 19.0.5: for managed Windows endpoints, to address software patching
- 07-26 Blog: Forescout Cyber Weekly Roundup
- 06-25 Product Content Update: Forescout releases VR BlueKeep in Security Policy Templates v19.0.6 (SPT)
- 06-18 Blog: BlueKeep: Havoc on the Horizon / Rapid Response: BlueKeep (CVE-2019-0708)
- 06-07 Blog: Forescout Cyber Weekly Roundup
- 05-30 Blog: Bluekeep – Another Vulnerability Affecting Millions
- 05-24 Blog: forescout-cyber-weekly-roundup-july-26-2019Forescout Cyber Weekly Roundup
- 05-22 Product Content Update: Forescout releases Windows Vulnerability DB plugin v19.0.5
- Continued weaponization and commoditization of BlueKeep exploits by cybercriminal operations
- That the breakthrough technologies required will propagate underground
- That the methods used in the weapon construction will become more and more commoditized (available in off-the-shelf exploit kits for sale and joint venture by cybercriminals)
- That attack on externally exposed endpoints (those picked up by public scanners) is likely
- That BlueKeep exploits will be chained to the exploit kits used by phisherman and in watering hole attacks, which will ultimately target the “squishy center” of corporate networks, where legacy devices and sensitive OT/ICS devices reside
Forescout Recommendations
Multiple Forescout products can be used to help mitigate against the Microsoft BlueKeep vulnerability:
Current Forescout customers can visit our Community and Knowledge Base to discuss BlueKeep, download the latest VR BlueKeep Security Policy Template (SPT), or contact Forescout Support at [email protected]. This sample security policy template demonstrates how to extend Forescout capabilities to control unmanaged Windows devices via agentless mitigation in response to to BlueKeep / CVE-2019-0708. For technical requirements on this Vulnerability Response, consult the SPT Release Notes and Plugin Help File.
UPDATE – July 29: BlueKeep has remained an ongoing source of updates for cybersecurity practitioners everywhere. Forescout’s response to inevitable attack via BlueKeep exploit include commentary and product content updates:
Forescout Research continues to expect the BlueKeep vulnerability to be increasingly exploited by threat actors. For Blue Team, time to patch is running out and the protective safety buffer that the UK’s NCSC gave Microsoft and the world (by responsibly disclosing the issue) is wearing thin. Forescout Research anticipates:
Visit Community and Knowledge Base
BlueKeep isn’t the last threat, it’s just the latest one. Forescout’s goal is to protect our customers against this looming threat and others. If you have questions or would like to learn how Forescout can help your company, organization or agency guard against BlueKeep and other threats, contact us or engage with us on Twitter @Forescout.