he United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Microsoft Windows users regarding a critical security vulnerability. By issuing the "update now" warning, CISA has joined the likes of Microsoft itself and the National Security Agency (NSA) in warning Windows users of the danger from the BlueKeep vulnerability.
BlueKeep. If your business is running on Windows 7, it’s likely a moniker you may be familiar with. The high-severity vulnerability, first revealed by Microsoft and confirmed recently by researchers, is looming as the greatest potential “wormable” threat since the infamous WannaCry ransom attack wreaked havoc across the globe in 2017.
That’s the bad news. The good news is that Windows 10 is not vulnerable to this threat. That makes BlueKeep just the latest example of the growing urgency for organizations to upgrade to Microsoft’s next-generation operating system.
Last month, Microsoft released additional security updates to protect against Bluekeep, a new security vulnerability considered a potentially ‘wormable’ flaw in the Remote Desktop (RDP) protocol (CVE-2019-0708). The vulnerability is present in the still-supported Windows 7, Vista, Server 2008 and Server 2008 R2, but also in legacy systems Windows XP and Server 2003, which is a rarity for Microsoft since Extended Support ended back in April of 2014.
Research has already revealed that just under one million internet-facing machines are vulnerable to BlueKeep on port 3389, used by the Microsoft Remote Desktop feature. But that's just the tip of this insecurity iceberg. There are a million gateways to potentially many millions more machines that sit on the internal networks they lead to. A wormable exploit can move laterally within that network, rapidly spreading to anything and everything it can infect in order to replicate and spread. Here's the real stinger: that can include machines in an Active Directory domain even if there's no BlueKeep vulnerability to exploit. The machine running the vulnerable Remote Desktop Protocol is merely the gateway, once compromised the clever money is on an incident that could become as widespread as WannaCry was back in 2017.
what does this mean?
The vulnerability can be easily exploited and weaponized by leveraging malware or even ransomware. Microsoft has even warned that the vulnerability can be as damaging as the Wannacry outbreak from a couple of years ago. It only takes a bit of code designed to exploit it and spread pre-authentication without requiring any user interaction in the process. Once the vulnerability has been abused, it’s only a matter of time before it will infect not only the target host, but the rest of the environment - if left unpatched.
The NSA also believes this can easily evolve in time: “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
While Windows 8 and Windows 10 users are not impacted by this vulnerability, Windows 2003, Windows XP and Windows Vista all are and the news that an exploit has been confirmed justifies the unusual step of the U.S. government and its agencies getting involved in issuing these "update now" warnings.
what SHOULD YOU DO?
The CISA alert advises users to install the patches that Microsoft has made available, which includes ones for operating systems that are no longer officially supported. It also suggests users should upgrade those "end of life" systems to Windows 10.
The end of support for Windows 7 starts January 14, 2020. That means free security support will also come to an end. Even if cost alone is not a big enough motivator to upgrade, mounting vulnerabilities and increasingly expensive security fixes are just not worth the risk of staying with the status quo.
The solution is simple:
a) patch all Windows devices not only for the latest vulnerability but always, and
b) if the devices are outside of mainstream or even extended support (like legacy operating systems), it’s best to migrate to Microsoft’s latest OS, Windows 10 as soon as possible.
It’s important to understand how critical regular, recurring patching is as a key component of your overall approach to cybersecurity. Most businesses are unaware of the importance this aspect of IT management is to their stability of their ongoing business operations. Another example of why a proactive approach to IT service is critical to the success of your business.
What are you doing to ensure your systems are patched regularly? Does your inhouse IT support person have the ability to stay ahead of these incidents? Share your thoughts in the comments section below or feel free to send me an email to discuss this in more detail.