Microsoft and now the National Security Agency (NSA) have issued extra alarms warning Windows admins apply Microsoft’s May patch for Bluekeep, a flaw in Windows Remote Desktop Services (RDS) that malware can potentially use it to automatically propagate throughout networks from one vulnerable PC to another and so on.
The NSA on Tuesday urged Windows admins to ensure they’re running patched and updated systems, noting that “potentially millions” of Windows 7, Windows XP, Server 2003 and 2008 are still vulnerable, despite the patch being available for over a fortnight. Microsoft released the fix in the May 14, 2019 Patch Tuesday update.
Microsoft even offered patches for unsupported Windows XP, fearing the bug could be used to the same devastating effect that the NSA’s leaked EternalBlue exploit was in WannaCry and later NotPetya in mid and late 2017, respectively. The NSA espionage tool exploited a set of SMBv1 vulnerabilities that Microsoft released patches for in March 2017, shortly before they leaked by advanced and presumed Russian government hacking group, ShadowBrokers.
Bluekeep, which is tracked as CVE-2019-0708, was reported to Microsoft by the UK’s by the UK’s National Cyber Security Centre (NCSC), the branch of UK spy agency GCHQ that helps private and public sector organizations bolster cyber security defenses.
Microsoft in mid-May warned that it was “highly likely” the RDS bug will be exploited in malware imminently. At the end of May, it reiterated its call for admins to update Windows, following a report by US cybersecurity expert Robert Graham, who found that one million machines accessible on the Internet were vulnerable to Bluekeep.
Graham's assessment suggests it's a matter of when not if this bug will be exploited by attackers, be they cybercriminals or state-sponsored, and the impact could be dire.
“That means when the worm hits, it'll likely compromise those million devices,” warned Graham. "This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.”
Microsoft warned that many more than one million machines could be vulnerable due to unaccounted machines within corporate networks that Graham's mass Internet scan identified.
“We strongly advise that all affected systems should be updated as soon as possible,” said Simon Pope, director of incident response at the Microsoft Security Response Center.
As a reminder for why immediate patching is necessary, Pope detailed the speed at which WannaCry hit networks after Microsoft’s March 14, 2017 patch for vulnerabilities exploited by EternalBlue.
ShadowBrokers leaked EternalBlue exactly one month after the patch, and within a month from that WannaCry infected around 300,000 vulnerable Windows machines across the world. The West blamed WannaCry on North Korean hackers, while notPetya was pinned on Russian state-sponsored hackers.
The NSA for its part makes a vague reference to EternalBlue in its advisory and why it’s now so important to take heed of Microsoft’s warnings to patch Windows.
“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the NSA says in its advisory.
“NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems,” the US spy agency added.
Beyond installing Microsoft’s patches, the NSA also recommends implementing firewall blocks on TCP Port 3389, which is used by the the Remote Desktop Protocol. It also recommends enabling Network Level Authentication (NLA) and to disable remote Desktop Services if they’re not needed.
The NSA warning followed the emergence of several proof-of-concept (PoC) exploit codes for the BlueKeep flaw. Security firm McAfee said its PoC code could achieve remote code execution on machines with RDP enabled. The NSA's recommended NLA defense would work unless the attacker has already somehow gained credentials, it warned.
"It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.," McAfee researchers warned.