Contents:
What Is the BlueKeep Vulnerability?
BlueKeep is a software vulnerability that affects older versions of Microsoft Windows. Also known as CVE-2019-0708, the vulnerability first emerged in 2019 and is a “wormable” remote code execution vulnerability, being noted first by the UK National Cyber Security Centre and, on 14 May 2019, reported by Microsoft.
Its risk is significant, as it attacks an operating system’s Remote Desktop Protocol (RDP), which can be used by attackers to take control of an affected system.
Originally, BlueKeep was limited to researchers modeling the risk, but in November 2019, it was discovered that threat actors were also using it to install cryptocurrency mining code on vulnerable machines.
British researcher Kevin Beaumont found the attack through honeypots he created to notify of any exploits of the vulnerability. The attacks used a demo exploit code that attempted to install crypto miners onto unpatched devices, but they were flawed so they only crashed computers rather than successfully installing the code onto devices.
How Does BlueKeep Work?
According to Microsoft, the BlueKeep vulnerability allows threat actors to send specially crafted packets to one of the Windows OSs that have RDP enabled. After successfully sending the packets, the threat actor would have the ability to perform a number of actions such as:
- Adding accounts with full user rights;
- Viewing, changing, or deleting data;
- Installing applications.
BlueKeep is considered to be “wormable” because malware exploiting it on a system could propagate to other vulnerable systems. Thus, a BlueKeep exploit is capable of rapidly spreading in a similar fashion to the WannaCry malware attacks.
Potential Risks and Impacts
BlueKeep still represents a risk that could affect anyone that still uses unsupported Windows operating systems. Attackers exploiting BlueKeep could hack into a machine without the appropriate patches or updates installed.
Another risk associated with the vulnerability is its “wormable” characteristic. The fact that Microsoft has labeled BlueKeep as wormable means that the threat could spread widely without any user interaction. To have an idea about the destructive capabilities of wormable vulnerabilities, we can take the famous example of WannaCry.
Similar to BlueKeep, the WannaCry crypto-ransomware also targeted Windows devices. It targeted a weakness in the Windows OS which allowed it to install malware through a backdoor called DoublePulas and from there spread from one computer to another using an exploit known as EternalBlue.
To protect vulnerable devices against WannaCry, Microsoft quickly released a patch, which many users and organizations ignored, leaving their machines exposed to the threat. Through WannaCry, the threat actors could encrypt files on a computer and lock users out of their devices. Then, the attackers would demand a ransom to unlock their data and device. Around 230,000 computers were affected by the vulnerability worldwide. The losses associated with WannaCry amount to around $4 billion.
If consumers would have ceased using out-of-date Windows computers and updated their cybersecurity practices, the devastation inflicted by WannaCry would have been prevented. And this issues a strong warning to any user or organization that has not yet patched and upgraded their systems.
Being affected by a vulnerability similar to BlueKeep or WannaCry would put businesses and critical infrastructure (particularly in sectors such as healthcare, finance, and government) at some huge risks such as data breaches, financial losses, and disruption of services.
How to Protect Against BlueKeep?
Its ease of spread throughout the system without the need for human intervention makes BlueKeep a dangerous exploit. In order to protect themselves, users and businesses can take the following steps:
1. Patch Insecure Machines
Failure to update systems exposes users’ data to theft and, if the device is a business computer, exposes confidential company data. Patching is the most efficient practice users and businesses can employ to protect themselves, not only from BlueKeep but from all sorts of dangers. Microsoft has made security fixes available to close this vulnerability. Additionally, Microsoft has made patches available for a variety of legacy software that are no longer maintained by the company, such as Windows Vista, Windows XP, and Windows Server 2003.
2. Update to a Newer Windows Version
BlueKeep affects Windows versions up to Windows 7, so automatically updating to a version that is newer than Windows 7 will guarantee the protection of your system.
3. Block Transmission Control Protocol (TCP) Port 3389
Because port 3389 is used to initiate an RDP session, blocking it at the enterprise perimeter firewall prevents an attacker from exploiting BlueKeep from outside the user’s network. Although, keep in mind that this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
4. Enable Network Control
Organizations can enable Network Level Authentication (NLA), which gives them control over the users who connect to their systems and prevents unauthorized access to their data and resources. This also helps them block unauthorized users looking to exploit the BlueKeep vulnerability to attack the organization.
5. Educate Users
Additionally, to patching systems, installing the latest software, and protecting networks, it’s also critical to be aware of the latest risks in the cybersecurity threat landscape. Users must make sure they are aware of the hazards they are exposed to and are able to see the warning signals of a potential cyberattack.
How Can Heimdal® Help You?
The most effective way to keep your business protected from BlueKeep and other vulnerabilities is to keep them updated with the latest patches available. Relying on manual patching practices can prove to be inefficient, especially for organizations with a large number of endpoints, as it occupies resources, and is more prone to errors.
Heimdal®’s Patch & Asset Management software is a fully automated patch management solution that will ensure your organization is well-protected from the latest emerging vulnerabilities.
With our solution in place, you will be able to:
- Patch Windows, Linux, macOS, Third-Party, and even proprietary apps, all in one place;
- Generate software and assets inventories;
- Easily achieve compliance with automatically generated detailed reports (GDPR, UK PSN, HIPAA, PCI-DSS, NIST);
- Automatically conduct vulnerability management processes;
- Close vulnerabilities, mitigate exploits, and deploy updates both globally and locally, anytime, from anywhere in the world;
- Customize your solution based to perfectly fit the needs of your organization.
Upgrade your patching practices and run your business free from the dangers posed by unknown vulnerabilities!
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...
F.A.Q.
What Windows Versions Are Affected by the BlueKeep Vulnerability?
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
How Does the BlueKeep Exploit Work?
BlueKeep allows unauthorized remote users to send specially crafted packets to one of the Windows OSs that have RDP enabled and perform unauthorized actions.
How to Check for BlueKeep Vulnerability?
You can check if your systems have been infected by the BlueKeep vulnerability by conducting a network scan, or by using one of the available dedicated BlueKeep detection tools.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.