The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has gone public with a warning to Microsoft Windows users regarding a critical security vulnerability. By issuing the “update now” warning, CISA has joined the likes of Microsoft itself and the National Security Agency (NSA) in warning Windows users of the danger from the BlueKeep vulnerability.
This latest warning, and many would argue the one with most gravitas, comes hot on the heels of Yaniv Balmas, the global head of cyber research at security vendor Check Point, telling me in an interview for SC Magazine UK that “it’s now a race against the clock by cyber criminals which makes this vulnerability a ticking cyber bomb.” Balmas also predicted that it will only be “a matter of weeks” before attackers started exploiting BlueKeep.
The CISA alert appears to confirm this, stating that it has, “coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep.” That it can confirm a remote code execution on Windows 2000 might not sound too frightening, this is an old operating system after all, it would be unwise to classify this as an exercise in fear, uncertainty and doubt. Until now, the exploits that have been developed, at least those seen in operation, did nothing more than crash the computer. Achieving remote code execution brings the specter of the BlueKeep worm into view as it brings control of infected machines to the attacker.
Research has already revealed that just under one million internet-facing machines are vulnerable to BlueKeep on port 3389, used by the Microsoft Remote Desktop feature. But that’s just the tip of this insecurity iceberg. These are a million gateways to potentially many millions more machines that sit on the internal networks they lead to. A wormable exploit can move laterally within that network, rapidly spreading to anything and everything it can infect in order to replicate and spread. Here’s the real stinger: that can include machines in an Active Directory domain even if there’s no BlueKeep vulnerability to exploit. The machine running the vulnerable Remote Desktop Protocol is merely the gateway, once compromised the clever money is on an incident that could become as widespread as WannaCry was back in 2017.
The U.S. National Security Agency (NSA) had issued a warning of the BlueKeep vulnerability on June 4. The NSA urged “Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threat.” Microsoft itself has twice now published warnings about BlueKeep including one that was reported as begging users to update their Windows installations.
Now it looks like Ian Thornton-Trump, head of security at AmTrust International, was bang on the money when he told me that he suspected the NSA had, “classified information about actor(s) who may target critical infrastructure with this exploit.” Given that this critical infrastructure is largely made up of the Windows XP and 2K3 family, this would make a lot of sense. While Windows 8 and Windows 10 users are not impacted by this vulnerability, Windows 2003, Windows XP and Windows Vista all are and the news that an exploit has been confirmed justifies the unusual step of the U.S. government and its agencies getting involved in issuing these “update now” warnings.
Satnam Narang, a senior research engineer at Tenable, says that the CISA alert is, “yet another unprecedented move surrounding the BlueKeep vulnerability.” Serving as a reminder of how serious the threat of BlueKeep is to organizations everywhere, Narang went on to add, “this level of attention is certainly warranted. The writing is on the wall; BlueKeep has the potential to cause widespread devastation, similar to the WannaCry worm in 2017. Organizations must act and patch vulnerable systems, or implement mitigations if patching isn’t easily viable.”
The CISA alert advises users to install the patches that Microsoft has made available, which includes ones for operating systems that are no longer officially supported. It also suggests users should upgrade those “end of life” systems to Windows 10. This will not, unfortunately, be possible in all cases but the patching advice remains prudent. However, these patches should still be tested before rolling them out to a “live” installation to minimize any potential negative impact on the systems concerned. Given the problems that users of Windows have endured as a result of mis-handled Microsoft patches and updates of late, I cannot stress how important this testing advice is. That said, anyone who has not yet patched against the BlueKeep threat should do so as a matter of urgency, where at all possible. If that’s not possible, and there may be some case where this is the case, then disabling of services not being used by the operating system is recommended to limit exposure to BlueKeep. Equally, enabling Network Level Authentication in Windows 7, Windows Server 2008 and Windows Server 2008 R2 so as to require session requests to be authenticated will also mitigate against BlueKeep which requires an unauthenticated session.