Expert: Patch Bluekeep Now or Face WannaCry Scenario

The flaw known as BlueKeep could be as dangerous as EternalBlue, the basis of recent malware like WannaCry, according to a report by BitSight.


The recently discovered BlueKeep flaw has the potential to be as destructive or even worse than EternalBlue–the basis of the WannaCry ransomware–and it’s critical for organizations to patch any affected systems now to avoid a dire scenario, new research advises.

Researchers at security- and risk-management firm BitSight Technologies evaluated the potential effect of the worm-friendly BlueKeep, and said it’s likely only a matter of time before someone exploits the vulnerability for widespread damage.

BlueKeep, revealed and simultaneously patched by Microsoft as part of last month’s Patch Tuesday, is a zero-day Windows Remote Desktop vulnerability that poses a threat to millions of Internet-connected systems–including medical devices and other endpoints connected to the “Internet of Things.”

Microsoft’s recently disclosed “Bluekeep” vulnerability could pose as big a threat as EternalBlue, the vulnerability exploited by WannaCry, researchers at BitSight warned.

Now is a very critical time for organizations exposed to the BlueKeep vulnerability to patch it, BitSight said, noting timeline between the disclosure of the EternalBlue vulnerability and the release of WannaCry about two months after the Microsoft EternalBlue advisory and patch.

“We believe that the way companies will handle this issue in the next few weeks can provide valuable insight into their cybersecurity posture,” BitSight researchers wrote in the research, posted here.

Microsoft ‘Bluekeep’ Flaw threatens Medical Devices, IoT

BlueKeep is particularly dangerous because it has wormable capability similar to EternalBlue, a vulnerability discovered and patched in 2017. Though a patch was available for EternalBlue, code exploiting that vulnerability powered the devastating WannaCry malware, which still managed to spread and cause billions in financial damages globally.

“BlueKeep, much like EternalBlue, allows for attackers to remotely exploit a system without user interaction,” Dan Dahlberg, director of security research at BitSight, told Security Ledger. “This sets up an environment that is ripe for a malware family, like a worm, to be able to remotely exploit organizations with little effort.”

Patch now!

Aware of the threat, Microsoft has repeatedly warned its customers to patch their systems, and even taken the “unusual step” of providing “fixes for operating systems that have long been in “End of Life” unsupported status, namely Windows XP and Windows Server 2003,” BitSight researchers observed.

Officially known as CVE-2019-0708, BlueKeep could allow an attacker to execute arbitrary code on a target system by sending specially crafted requests, then take complete control of that system–including the ability to install programs; view, change, or delete data; or create new accounts with full user rights.

Organizations also need to be aware that BlueKeep can serve a dual purpose as an initial infection vector for organizations exposing this externally, but also to infect other systems internally within an organization, Dahlberg noted. This will affect how to patch systems for optimal defense, he said.

Podcast Episode 110: Why Patching Struts isn’t Enough and Hacking Electricity Demand with IoT?

“Some organizations will only focus on patching externally-exposed systems, but patching internal systems are just as important as was demonstrated through the WannaCry breakout, as well as other malware families that used a combination of vulnerabilities to spread,” he said.

BlueKeep by the numbers

In its research, BitSight examined the number of systems the company believes are vulnerable to BlueKeep, those believed already patched as well as various demographics for the systems exposed to the vulnerability.

The company, quoting statistics from security researcher Robert Graham of Errata Security, said that–as previously estimated–nearly 1 million (around 973,000) systems are affected by BlueKeep. About 1.6 million already have been patched. Meanwhile, there are about 1.4 million systems with RDP exposed externally with Network Level Authentication (NLA) enabled that are not vulnerable to BlueKeep, researchers said.

Of countries with the highest number of existing vulnerable systems, China topped the list, followed by the United States, Germany, Brazil, Russia and France. The number of patched systems varied in those countries, with about half of the vulnerable systems in China, Brazil and Russia currently patched; and three-fourths of the vulnerable systems in Germany, France and the United States already patched.

BitSight also broke down vulnerable systems by industry sector in its research. Telecommunications was the top industry affected, followed by education, technology, utilities, government/politics and transportation.

Mitigating risk

BitSight said it will continue to monitor how companies respond to BlueKeep and observe the patching response, making further updates on the situation as needed.

The company stressed that while vulnerabilities are “an inevitability of running a modern business,” managing and responding to these issues “is the distinguishing factor for security resilient businesses.”

Mysterious Trisis Malware Strikes Again

In addition to patching, BitSight recommends organizations do what other researchers previously have advised when BlueKeep was discovered. The steps to take to help prevent a worm that leverages the vulnerability from infecting a system or network include the following:

● Block TCP Port 3389 at firewalls, especially any perimeter firewalls exposed to the internet; this port is used in RDP protocol and will block attempts to establish a connection.

● Enable NLA, which requires attackers to have valid credentials to perform remote code authentication.

● Disable remote Desktop Services if they are not required, which helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.