Another Windows vulnerability has emerged onto the scene affecting an estimated 1 million devices, subsequently placing the industrial operations and critical services of millions at risk of disruption. Of even more concern is that this vulnerability is “wormable”, meaning any future malware using this exploit would quickly spread through all infected devices 1.
Microsoft announced the BlueKeep vulnerability in its “Remote Desktop” product, tracked as CVE-2019-0708 , could lead to robust exploits. When a malicious actor chooses to activate the BlueKeep worm, each of the 1 million Windows devices (and counting) would be compromised. The repercussions of such an attack could lead to a cyber event that would make the WannaCry and notPetya attacks of 2017 seem small in magnitude.
Why This Threat Is Unique
BlueKeep will test whether organizations around the world learned their lesson after the 2017 malware outbreaks. The reason for this is because BlueKeep resembles a vulnerability in the Server Message Block (SMB) protocol from two years ago that Microsoft also released fixes for, advising all users to patch their Windows machines immediately. This was the EternalBlue exploit, a hacker tool allegedly designed by and stolen from the National Security Agency (NSA). Shortly following the EternalBlue leak, the tool became the delivery mechanism for the two most damaging cyberattacks in recent history – WannaCry and NotPetya.
What This Means for You
First, ask yourself, do I have Windows devices that are vulnerable to BlueKeep / CVE-2019-0708. If not, great. If so, it’s time to get busy. Maintaining operations with unpatched vulnerable devices is a time bomb waiting to happen. Here’s a few things you can do:
- Temporarily disable Remote Desktop Protocol (RDP) and patch – quickly. If your organization runs a supported version of Windows, update your devices. If you are still using unsupported Windows XP or Windows Server 2003, download and apply the patches ASAP.
- Configure RDP properly. If you must use RDP, avoid exposing it to the internet by limiting remote access to devices only on the LAN, or accessing via a VPN. Another option is to use a firewall to filter RDP access by whitelisting a specific IP range. Using multi-factor authentication (MFA) can also improve the security of remote sessions.
- Enable Network Level Authentication (NLA). Enabling NLA can partially mitigate the BlueKeep vulnerability, as it requires the user to authenticate before a remote session is established and the flaw can be misused.
- Be sure to use a scalable cybersecurity solution that can provide complete device visibility and operational status monitoring across both IT and OT domains. Detecting vulnerabilities such as BlueKeep, or managing patching tasks, is no small task, especially for geo-distributed enterprise networks. Detailed asset inventories, contextual analysis and network monitoring aid policy adherence and mitigate human error.
Use Forescout to Isolate, Restrict or Block High-Risk Devices
On May 22nd, Forescout published updates to its Windows Vulnerability Database Plugin, an extended module that helps manage Windows devices, including those vulnerable to BlueKeep / CVE-2019-0708. Customers may upgrade the Forescout platform to include Windows Vulnerability DB v19.0.5. For technical requirements, consult the Release Notes and Plugin Help File.
If you’re enforcing policies like automatic OS updates, you can use the Forescout platform to isolate non-compliant devices and initiate remediation actions. For more information, refer to the Forescout Community forum and knowledge base, or contact Forescout support at support@forecout.com.
The key takeaway here is that organizations urgently need to improve their security posture and patching routines. The early discovery of BlueKeep highlights an evolving cybersecurity market, yet underscores the growing need for continuous innovation in the space.
To learn more about how monitoring your organization’s network can improve your overall cybersecurity posture and bring value to your organization, check out our ROI calculator.
1https://www.securityweek.com/one-million-devices-vulnerable-bluekeep-hackers-scan-targets
