Nearly 1 Million Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw

Posted by & filed under Security Alerts.

Nearly 1 Million Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw
Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.
If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.
Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems.
The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device’s Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.

Describing the BlueKeep vulnerability as being Wormable that could allow malware to propagate to vulnerable systems just like WannaCry, Microsoft released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.
The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.
Not just researchers, malicious hackers and cybercriminals have also started scanning the Internet for vulnerable Windows systems to target them with malware, GreyNoise Intelligence said.
“GreyNoise is observing sweeping tests for systems vulnerable to the RDP “BlueKeep” (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor,” the tweet says.”
However, fortunately, so far no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.
If fixing the flaw in your organisation is not possible anytime soon, please follow the mitigation steps below.
Mitigations Steps:
  1. Disable RDP services, if not required.
  2. Block port 3389 using a firewall or make it accessible only over a private VPN.
  3. Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.