Remember the ransomware worm WannaCry back in 2017? After the carnage and financial damage it caused two years ago, the threat might be back again. Microsoft recently announced a vulnerability in legacy operating systems that has high potential of being exploited. The vulnerability is in the Remote Desktop Services (formerly known as Terminal Services) and could be exploited remotely with no authentication required. This affects Windows XP, 2003, Windows 7, Server 2008, and 2008 R2.
This new ‘WannaCry’ like vulnerability is wormable, meaning it’s pre-authentication and requires no user interaction and can jump from vulnerable machine to vulnerable machine. This vulnerability was seen as so severe that, in an effort to mitigate the risks, Microsoft took the uncommon step of releasing patches for unsupported operating systems, especially for Windows XP and Server 2003.
Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear with this one is that it will be much easier to take advantage of. With a patch now available you can bet there are cyber adversaries out there reverse engineering the patch, getting ready to exploit organisations and individuals alike.
According to recent data released by Stat Counter, in Australia from a desktop OS standpoint 19 percent of machines still run on an affected OS. It’s much harder to ascertain from a server OS standpoint what the exposure size is, as most servers are not internet-facing to get these stats. Many of these older servers are Citrix server-based computing environments which will all be running RDS.
On May 30th, Simon Pope, Director of Incident Response, Microsoft Security Response Center, issued the reminder urging everyone to update their systems as soon as possible. He reiterated the fact that over 1 million internet connected systems are vulnerable to the BlueKeep vulnerability.
Though a couple of weeks have elapsed since the vulnerability was discovered, Microsoft has warned customers that cybercriminals often don’t move that quickly. In the last incident, EternalBlue, the vulnerability that allowed WannaCry to take place, took two months from the time the vulnerability was discovered to the time it took to exploit it. Interestingly, many customers didn’t patch their systems despite having a window of 60 days.
This week announcements from Checkpoint research highlighted that scanning of internet connected devices had increased from a range of countries, this commonly was a pre cursor to attack.
So what’s the answer? You better get patching as soon as possible.
With the latest versions of Microsoft SCCM not supporting Windows XP and Server 2003, the job is going to be more difficult. Does this mean manual patching? Not necessarily.
To avoid the kinds of cyber-attacks that create headaches and headlines, organisations need to urgently update devices, servers and other assets. For those who have not patched BlueKeep yet, it is only a matter of time before the first malicious exploit is distributed. Organisations need to make sure their environments do not contribute to the same historical toll that WannaCry inflicted.
This vulnerability is severe enough that Microsoft issued a second advisory urging everyone to patch as soon as possible. A second advisory being issued for the same vulnerability is pretty rare indicating the severity and urgency for resolving this vulnerability. By not patching, organisations risk exposing customer data, losing critical services and violating compliance with internal and external regulations.
The legacy systems are the primary targets, they have been around for a long time, giving cyber criminals ample time to identify & discover vulnerabilities. The 2017 WannaCry ransomware attack that hit hundreds of thousands of computers exploited known Microsoft Windows vulnerabilities and was virulent.
Although organisations can significantly reduce their attack surface by patching quickly, correctly, and across all assets, doing so can be complicated, time consuming and error prone. Therefore, automating the patching process and integrating critical security controls through a third party expert will help organisations improve their security posture.