In May, Microsoft disclosed a serious security vulnerability affecting many older versions of Windows for desktops and servers.
The vulnerability is called BlueKeep, and it allows attackers to use Microsoft's Remote Desktop Services to attack unpatched computers running older versions of Windows, Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008.
Microsoft labels the vulnerability as "critical" because it gives attackers almost unlimited access to a system, and because it is "wormable," meaning that it can spread the same way WannaCry did.
"The impact if this, if exploited, will be catastrophic," said Rehan Bashir, managing security consultant at Synopsys.
Microsoft has even taken the unusual step of releasing patches for no-longer-supported versions of Windows, including XP, Vista, and Server 2003.
Both the NSA and Homeland Security's Cybersecurity and Infrastructure Security Agency have issued warnings about the threat.
"This level of attention isn't common and should be taken seriously," said Scott Caveza, research engineering manager at Tenable Network Security.
Data center managers should patch all systems immediately, he said. If a patch can't be immediately applied, organizations should enable Network Level Authentication, which can help protect against the threat.
Data centers may also want to block TCP port 3389 at the perimeter firewall, he said.
"This would also be a good time to evaluate what services are enabled on hosts and disable any that are unnecessary, as well as determine if any unsupported OS versions are present in the data center," he said.
There are still many unpatched machines out there.
Out of four million publicly accessible machines BitSight’s security researchers recently scanned, nearly a million were still vulnerable in mid-June, a month after Microsoft sounded the initial warning and released patches. About 1.6 million machines were patched; status of the other 1.4 million was unknown.
This only covers public-facing systems. There may be other unpatched machines running on corporate firewalls, invisible to the public internet but still vulnerable to lateral attacks.
BlueKeep exploits a common vulnerability in modern data centers, said Tim Mackey, principal security strategist at Synopsys. "Remote access is a requirement and legacy systems abound," he said.
He recommends that data center operators run a network scan to determine active systems running Remote Desktop Access. In addition, virtual-machine templates for Windows machines should be inspected and patched, he said.
He also suggests that data centers running Windows 2000 machines need to be careful.
The Department of Homeland Security has warned that Windows 2000 is vulnerable to BlueKeep and issued an advisory.
But Microsoft has not released a patch for Windows 2000. Support for Windows 2000 ended in 2010.
Exploits On the Way
Several security researchers have already worked out ways to exploit the vulnerability, so the bad guys won't be far behind.
For example, Sophos has released a video showing that it's possible for an attacker to take over a target machine, which would allow hackers to automate an entire attack chain.
Right now is the most vulnerable time, said Humberto Gauna, a consultant at BTB Security.
"At 60 days old, BlueKLeep is at the time of ripeness for a vulnerability to be taken advantage of by malicious actors," he said. "The vulnerability is new enough to be unpatched in many environments and old enough that those that didn’t patch are likely fairly immature from an IT process respect – which maximizes the damage the bad actors can do."
According to Johannes Ullrich, dean of research at the SANS Technology Institute, it might be a few days before an exploit is publicly available to attackers. But development is active, he wrote on July 8, "And I don't think you have more than a week."
There are already signs that attackers are scanning the internet for vulnerable machines using the anonymous Tor network.
"We observed BlueKeep scans, almost exclusively from Tor exit nodes. However, this activity ceased about two weeks ago," said Greg Wells, product manager at GreyNoise Intelligence, a security research firm. "I think we should assume that these scans are a precursor to potential attacks and take action accordingly."
That means data centers that rely on remote sessions using Microsoft's Remote Desktop Services, especially if they have those services exposed to the internet, should consider BlueKeep to be a highly critical threat, he said.
"Given the potential for BlueKeep to be weaponized as a worm, an attacker would only need to exploit one vulnerable system within a network and then propagate to other vulnerable systems," he added.
Workarounds and Mitigations
- Run a scan to identify vulnerable machines -- including virtual machines and virtual machine templates -- that need patching, or, in the case of Windows 2000, replacing or upgrading.
- Patch or upgrade all vulnerable systems as quickly as possible, including those that have Remote Desktop Services disabled.
- Disable Remote Desktop Services if they are not required.
- Enable Network Level Authentication where available. This requires attackers to have a valid account on the system before they can exploit the vulnerability, which will add a layer of protection.
- Block the port used by Remote Desktop Service, TCP port 3389, at the enterprise perimeter firewall or limit access to a whitelist of trusted IP addresses.
- Use secure virtual private networks to connect to internal Remote Desktop Services servers
- Add multifactor authentication to machines offering Remote Desktop Services
- Segment internal network traffic based on regular users vs administrators.
- Ensure regular users don’t have the ability initiate Remote Desktop Services on production servers. Administrator access to production systems should be via isolated network processes.
- Configure Windows Firewall to prevent users on network segment for regular users from initiating RDP connections or accepting them from non-administrators
- Take Windows 2000 machines offline or take other steps to isolate them until they can be replaced.
Sources: Tenable, GreyNoise, Synopsys, BTB Security, Microsoft, DHS