Microsoft Sounds Second Alarm Over BlueKeep Vulnerability

Governance , IT Risk Management , Legacy Infrastructure Security

Security Experts Warn Exploits Are Coming(@Ferguson_Writes) • May 31, 2019    Microsoft Sounds Second Alarm Over BlueKeep Vulnerability

Microsoft has issued a second security warning over BlueKeep, a recently discovered vulnerability in its Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

The software giant took the unusual step Thursday of issuing a second alert within a month concerning the BlueKeep flaw as security researchers expressed growing concerns that bad actors are rapidly developing exploits and that proof-of-concept code has already leaked online.

In a new message, Simon Pope, director of incident response for the Microsoft Security Response Center, compared BlueKeep to EternalBlue, the Windows vulnerability that later opened the door to the WannaCry and NotPetya ransomware attacks of 2017. Pope warned that with reports of nearly 1 million Windows devices vulnerable to this flaw, security teams need to apply the patch that Microsoft issued with its first warning on May 14 (see: 1 Million Windows Devices 'Vulnerable to Remote Desktop Flaw').

"It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods," Pope warns. "If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner."

The vulnerability affects only older versions of Microsoft's Windows operating system, some of which are no longer supported by the company. The flaw affects Windows XP, Windows 7, Windows 2003 and Windows Server 2008, the company notes. Newer versions of Windows, including Windows 8 and Windows 10, are not affected.

Looking for Exploits

In his note, Pope notes that Microsoft security researchers are "confident that an exploit exists" for BlueKeep and that's it only a matter of time before threat actors take advantage of unpatched machines to spread their malware. He adds that it only took about 60 days between the issuing of the EternalBlue patch and the first attacks attributed to WannaCry in 2017 (see: After 2 Years, WannaCry Remains a Threat).

Independent security researchers have spotted proof-of-concept code designed to exploit this vulnerability, which is designated CVE-2019-0708.

British security researcher Marcus Hutchins, who discovered the "kill switch" that helped stem the WannaCry attacks two years ago, warns that some people are posting fake code to GitHub and other software repositories to hide or obscure the truly dangerous exploits being developed.

These warnings about proof-of-concept code and the urgency of patching come after Robert Graham of the security firm Errata Security wrote a May 28 blog about his finding that about 950,000 unpatched devices running older versions of Windows are still vulnerable to exploits based on BlueKeep. Additional, Security firm GreyNoise Intelligence warned on May 24 that at least one threat actor is scanning networks looking for systems that are susceptible to BlueKeep.

Meanwhile, security vendors Zerodium, McAfee, Kaspersky, Check Point, MalwareTech and Valthek, have developed exploits for BlueKeep but are keeping that code private. This demonstrates, however, that a determined attacker could take advantage of the vulnerability.

Protecting Older Versions of Windows

The BlueKeep vulnerability was first spotted by the U.K.'s National Cyber Security Center and Microsoft issued its patch for it on May 14 as part of this month's Patch Tuesday security update. If a threat actor can access and exploit Blue Keep, the attacker could "execute arbitrary code on the target system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," according to the May 14 alert.

Microsoft has also warned that because the BlueKeep vulnerability does not require user interaction, an exploit could spread malware from one vulnerable machine to another within a network in the same way that the WannaCry ransomware was "wormable."

"It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Microsoft's Pope warns in his Thursday post. "This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed."