BlueKeep – Another Vulnerability Affecting Millions

Thomas Nuth | May 30, 2019
Another Windows vulnerability has emerged onto the scene affecting an estimated 1 million devices, subsequently placing the industrial operations and critical services of millions at risk of disruption. Of even more concern is that this vulnerability is “wormable”, meaning any future malware using this exploit would quickly spread through all infected devices 1.
Microsoft announced the BlueKeep vulnerability in its “Remote Desktop” product, tracked as CVE-2019-0708 , could lead to robust exploits. When a malicious actor chooses to activate the BlueKeep worm, each of the 1 million Windows devices (and counting) would be compromised. The repercussions of such an attack could lead to a cyber event that would make the WannaCry and notPetya attacks of 2017 seem small in magnitude.
Why This Threat Is Unique
BlueKeep will test whether organizations around the world learned their lesson after the 2017 malware outbreaks. The reason for this is because BlueKeep resembles a vulnerability in the Server Message Block (SMB) protocol from two years ago that Microsoft also released fixes for, advising all users to patch their Windows machines immediately. This was the EternalBlue exploit, a hacker tool allegedly designed by and stolen from the National Security Agency (NSA). Shortly following the EternalBlue leak, the tool became the delivery mechanism for the two most damaging cyberattacks in recent history – WannaCry and NotPetya.
What This Means for You
First, ask yourself, do I have Windows devices that are vulnerable to BlueKeep / CVE-2019-0708. If not, great. If so, it’s time to get busy. Maintaining operations with unpatched vulnerable devices is a time bomb waiting to happen. Here’s a few things you can do:
Use Forescout to Isolate, Restrict or Block High-Risk Devices
UPDATE – July 29: BlueKeep has remained an ongoing source of updates for cybersecurity practitioners everywhere. Forescout’s response to inevitable attack via BlueKeep exploit include commentary and product content updates:
Forescout Research continues to expect the BlueKeep vulnerability to be increasingly exploited by threat actors. For Blue Team, time to patch is running out and the protective safety buffer that the UK’s NCSC gave Microsoft and the world (by responsibly disclosing the issue) is wearing thin. Forescout Research anticipates:
UPDATE: On June 25th, Forescout published updates to its Security Policy Templates content module, including a new template for Vulnerability Response: VR BlueKeep. This sample security policy demonstrates how to extend Forescout capabilities to control unmanaged Windows devices via agentless mitigation in response to BlueKeep / CVE-2019-0708. Customers may upgrade the Forescout platform to include SPT v19.0.6. For technical requirements, consult the Release Notes and Plugin Help File.
On May 22nd, Forescout published updates to its Windows Vulnerability Database Plugin, an extended module that helps manage Windows devices, including those vulnerable to BlueKeep / CVE-2019-0708. Customers may upgrade the Forescout platform to include Windows Vulnerability DB v19.0.5. For technical requirements, consult the Release Notes and Plugin Help File.
If you’re enforcing policies like automatic OS updates, you can use the Forescout platform to isolate non-compliant devices and initiate remediation actions. For more information, refer to the Forescout Community forum and knowledge base, or contact Forescout support at [email protected]
The key takeaway here is that organizations urgently need to improve their security posture and patching routines. The early discovery of BlueKeep highlights an evolving cybersecurity market, yet underscores the growing need for continuous innovation in the space.
To learn more about how monitoring your organization’s network can improve your overall cybersecurity posture and bring value to your organization, check out our ROI calculator.
1https://www.securityweek.com/one-million-devices-vulnerable-bluekeep-hackers-scan-targets
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134