BlueKeep – Another Vulnerability Affecting Millions
Another Windows vulnerability has emerged onto the scene affecting an estimated 1 million devices, subsequently placing the industrial operations and critical services of millions at risk of disruption. Of even more concern is that this vulnerability is “wormable”, meaning any future malware using this exploit would quickly spread through all infected devices 1.
Microsoft announced the BlueKeep vulnerability in its “Remote Desktop” product, tracked as CVE-2019-0708 , could lead to robust exploits. When a malicious actor chooses to activate the BlueKeep worm, each of the 1 million Windows devices (and counting) would be compromised. The repercussions of such an attack could lead to a cyber event that would make the WannaCry and notPetya attacks of 2017 seem small in magnitude.
Why This Threat Is Unique
BlueKeep will test whether organizations around the world learned their lesson after the 2017 malware outbreaks. The reason for this is because BlueKeep resembles a vulnerability in the Server Message Block (SMB) protocol from two years ago that Microsoft also released fixes for, advising all users to patch their Windows machines immediately. This was the EternalBlue exploit, a hacker tool allegedly designed by and stolen from the National Security Agency (NSA). Shortly following the EternalBlue leak, the tool became the delivery mechanism for the two most damaging cyberattacks in recent history – WannaCry and NotPetya.
What This Means for You
First, ask yourself, do I have Windows devices that are vulnerable to BlueKeep / CVE-2019-0708. If not, great. If so, it’s time to get busy. Maintaining operations with unpatched vulnerable devices is a time bomb waiting to happen. Here’s a few things you can do:
- Temporarily disable Remote Desktop Protocol (RDP) and patch – quickly. If your organization runs a supported version of Windows, update your devices. If you are still using unsupported Windows XP or Windows Server 2003, download and apply the patches ASAP.
- Configure RDP properly. If you must use RDP, avoid exposing it to the internet by limiting remote access to devices only on the LAN, or accessing via a VPN. Another option is to use a firewall to filter RDP access by whitelisting a specific IP range. Using multi-factor authentication (MFA) can also improve the security of remote sessions.
- Enable Network Level Authentication (NLA). Enabling NLA can partially mitigate the BlueKeep vulnerability, as it requires the user to authenticate before a remote session is established and the flaw can be misused.
- Be sure to use a scalable cybersecurity solution that can provide complete device visibility and operational status monitoring across both IT and OT domains. Detecting vulnerabilities such as BlueKeep, or managing patching tasks, is no small task, especially for geo-distributed enterprise networks. Detailed asset inventories, contextual analysis and network monitoring aid policy adherence and mitigate human error.
Use Forescout to Isolate, Restrict or Block High-Risk Devices
UPDATE – July 29: BlueKeep has remained an ongoing source of updates for cybersecurity practitioners everywhere. Forescout’s response to inevitable attack via BlueKeep exploit include commentary and product content updates:
- 07-26 Blog: Forescout Cyber Weekly Roundup
- 06-25 Product Content Update: Forescout releases VR BlueKeep in Security Policy Templates v19.0.6 (SPT)
- 06-18 Blog: BlueKeep: Havoc on the Horizon / Rapid Response: BlueKeep (CVE-2019-0708)
- 06-07 Blog: Forescout Cyber Weekly Roundup
- 05-30 Blog: Bluekeep – Another Vulnerability Affecting Millions
- 05-24 Blog: forescout-cyber-weekly-roundup-july-26-2019Forescout Cyber Weekly Roundup
- 05-22 Product Content Update: Forescout releases Windows Vulnerability DB plugin v19.0.5
- Continued weaponization and commoditization of BlueKeep exploits by cybercriminal operations
- That the breakthrough technologies required will propagate underground
- That the methods used in the weapon construction will become more and more commoditized (available in off-the-shelf exploit kits for sale and joint venture by cybercriminals)
- That attack on externally exposed endpoints (those picked up by public scanners) is likely
- That BlueKeep exploits will be chained to the exploit kits used by phisherman and in watering hole attacks, which will ultimately target the “squishy center” of corporate networks, where legacy devices and sensitive OT/ICS devices reside
Forescout Research continues to expect the BlueKeep vulnerability to be increasingly exploited by threat actors. For Blue Team, time to patch is running out and the protective safety buffer that the UK’s NCSC gave Microsoft and the world (by responsibly disclosing the issue) is wearing thin. Forescout Research anticipates:
UPDATE: On June 25th, Forescout published updates to its Security Policy Templates content module, including a new template for Vulnerability Response: VR BlueKeep. This sample security policy demonstrates how to extend Forescout capabilities to control unmanaged Windows devices via agentless mitigation in response to BlueKeep / CVE-2019-0708. Customers may upgrade the Forescout platform to include SPT v19.0.6. For technical requirements, consult the Release Notes and Plugin Help File.
On May 22nd, Forescout published updates to its Windows Vulnerability Database Plugin, an extended module that helps manage Windows devices, including those vulnerable to BlueKeep / CVE-2019-0708. Customers may upgrade the Forescout platform to include Windows Vulnerability DB v19.0.5. For technical requirements, consult the Release Notes and Plugin Help File.
If you’re enforcing policies like automatic OS updates, you can use the Forescout platform to isolate non-compliant devices and initiate remediation actions. For more information, refer to the Forescout Community forum and knowledge base, or contact Forescout support at [email protected]
The key takeaway here is that organizations urgently need to improve their security posture and patching routines. The early discovery of BlueKeep highlights an evolving cybersecurity market, yet underscores the growing need for continuous innovation in the space.