The Australian Cyber Security Centre is aware of Microsoft’s recent disclosure of a remote desktop vulnerability called CVE-2019-0708, also known as BlueKeep.
As an indication of just how significant the impacts of BlueKeep can be to their customers, Microsoft took the unusual step of publishing advice to warn of its ability to propagate or ‘worm’ through vulnerable computer systems, with no user interaction at all.
The ACSC notified our government and critical infrastructure partners across Australia with an advisory, including detailed mitigation advice for businesses who rely on legacy Windows operating systems.
With potentially millions of networks vulnerable, we’re now notifying smaller entities and owners and operators of businesses around Australia, of the need to patch your systems as soon as possible.
Potential for mass exploitation of vulnerable systems
Every few years there is a software vulnerability that has the potential for significant, widespread harm around the world.
Close to two years to the day on 14 May 2017, there was WannaCry – a form of ransomware that exploited a critical vulnerability in Microsoft operating systems.
The WannaCry virus spread rapidly across the world, disrupting the National Health Service in the United Kingdom and crippling automotive and telecommunications companies in Europe.
Impacts to the global economy may never be fully understood, but estimates suggest hundreds of millions of dollars in lost revenue and repair bills.
Today the BlueKeep vulnerability is readily available to cyber criminals who seek to exploit vulnerable systems en masse. These criminal groups are not necessarily targeting unsuspecting users; they’re simply sweeping the landscape for vulnerable, outdated systems that are easily penetrable.
A Remote Desktop Protocol (RDP) service left unpatched is likely exposed and potentially exploitable, with BlueKeep applying to both external and internal facing RDP, enabling actors to move laterally across a network.
Criminal groups can also utilise this vulnerability to conduct denial of services attacks on unprotected systems.
Protect your systems now
While intent is often hard to determine, prevention is thankfully simple to implement – patch, patch, patch, monitor your networks, and then patch some more.
Microsoft’s advisory provides fixes for vulnerable in-support systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008 and out-of-support systems including Windows 2003 and Window XP.
The Australian Cyber Security Centre advises Windows users to:
Deny access to Remote Desktop Protocols (RDP) directly from the internet
- Block all access to RDP, and
- Utilise a VPN with multifactor authentication, if internet based access to RDP is required
Limit internal network machine to machine RDP
- Apply appropriate internal network segmentation,
- Deny standard workstations to arbitrarily connect to servers or other workstations over RDP (or any other unnecessary protocol), and
- Limit RDP to servers; consider using a jump box to connect to other servers.
Consider adding “Network Level Authentication” which adds a pre-exploitation hurdle.