In the recent years, the number of security breaches and attacks is taking everyone by surprise. Despite all measures, security has become a weak-link for most organizations; once a breach is detected, it takes days, even months for business to bounce back to normal. Just last week, the National Security Agency (NSA) issued a warning regarding the BlueKeep threat, which was revealed three weeks after Microsoft patched both supported and unsupported Windows systems against BlueKeep.
Although the NSA noted that “potentially millions of systems are still vulnerable,” Microsoft issued two of its own alerts urging customers to patch the vulnerability. Now, the alert has been regarded by the NSA as “the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets [this type of] vulnerability.”
This is what the NSA had to say: “NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”
What is EternalBlue?
The EternalBlue exploit – similar to BlueKeep – is a hacker tool allegedly designed by and stolen from the NSA. The tool can be weaponized to enable ransomware attacks like WannaCry and NotPetya. The NSA advisory presented the same mitigation approaches recommended to defend against other BlueKeep exploit types, including disabling remote desktop services if possible, blocking port 3389 and enabling Network Level Authentication (NLA).
What makes this threat unique?
You might wonder what makes BlueKeep unique. In reality, BlueKeep is known to test an organization’s attention-to-detail to respond to malware outbreaks and resembles a vulnerability in the Server Message Block (SMB) protocol from two years ago. Microsoft has already released fixes for this vulnerability, advising all users to patch their Windows machines immediately. Yet, shortly following the EternalBlue leak, the tool became the delivery mechanism for the two of the most damaging cyberattacks in recent history, as previously mentioned: WannaCry and NotPetya.
What This Means for You: 5 Things to Consider
With nearly 1 million computers at risk and the fact that BlueKeep is wormable – i.e. it can spread without user interaction across the internet – it is extremely crucial for you to take measures to mitigate the vulnerability and protect your organization from a catastrophe. Here are 5 things you should consider:
- First & foremost: Do any of our organizations have Windows devices that are vulnerable to BlueKeep / CVE-2019-0708? Maintaining operations with unpatched vulnerable devices is a time bomb waiting to happen.
- patch Patch PATCH! … And Temporarily disable Remote Desktop Protocol (RDP). If an organization runs a supported version of Windows, have them update their devices. If they are still using unsupported Windows XP or Windows Server 2003, download and apply the patches ASAP.
- Ensure RDP is properly configured. If an organization is required to use RDP, be sure to avoid excessive Internet exposure by limiting remote access to devices only on the LAN, or accessing via a VPN. (Organizations can also use a firewall to filter RDP access by whitelisting a specific IP range).
NOTE: Using multi-factor authentication (MFA) can also improve the security of remote sessions.
- Enable Network Level Authentication (NLA). Enabling NLA can partially mitigate the BlueKeep vulnerability, given that the target-user is required to authenticate before a remote session is established in which the flaw is exploited.
- Initiate a multi-faceted IT Security Solution. Detecting vulnerabilities such as BlueKeep, or managing patching tasks, is no small task, especially for Geo-distributed enterprise networks. Detailed asset inventories, contextual analysis and network monitoring aid policy adherence and mitigate human error.
The key takeaway is that organizations immediately need to improve their security posture and patching routines. Microsoft’s May patch release cycle provides protection against potential exploits, which have yet to be reported as part of the hacker toolbox (yet!), however, other measures also can be taken, as described by the NSA, echoing Microsoft’s advice (i.e., disabling RDS is possible for remote device network connections—which may be essential when this service is not needed). Further to the countermeasure, Network Level Authentication can be turned on, which will block unauthenticated attackers. Another option will be to block the system’s TCP port 3389 at the firewall, which is used by the Remote Desktop Protocol (RDP).