[email protected] +603-2181 3666
NSA Warns 1 Million Machines Vulnerable to Critical BlueKeep Malware
June 10, 2019

In a rare occurrence, the American National Security Agency (NSA) has published a statement urging people to update their older Windows systems to protect against the BlueKeep vulnerability.

The NSA referenced "growing threats" and noted that BlueKeep "is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability."

This uncommon statement as NSA does not typically comment on cybersecurity vulnerabilities in commercial products, this warning comes just over 3 weeks of Microsoft patched both supported and unsupported Windows systems against BlueKeep, which affects the Remote Desktop Protocol.

BlueKeep, a Windows Remote Desktop vulnerability that could spread in the same worm-like fashion as WannaCry, was patched on May 14 as part of Microsoft's Patch Tuesday release, including patches for supported systems, as well as Windows XP and Server 2003. At the time, Simon Pope, Microsoft Security Response Center's director of incident response, wrote in an advisory explaining why the BlueKeep patch was so important and on May 30 Pope posted a reminder alert urging users to patch. According to Robert Graham, owner of Errata Security in Portland, Ore., claimed he had found "nearly 1 million devices on the public internet that are vulnerable to the bug."

"It has the potential to be as bad [as] notPetya. On the other hand, maybe some good Samaritan will first use a DoS PoC and take down all the Internet-exposed RDP, preventing a worm from doing anything special," Graham quipped on Twitter.

Pope wrote "It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,". He continued, “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed."

Making the need for users to install the BlueKeep patch even more urgent, Cisco Talos researcher Brandon Stultz noted in a blog post that it would be possible for an attacker to bypass security measures with a BlueKeep attack if the remote desktop protocol (RDP) traffic were encrypted, "essentially sneaking past users and remaining undetected."

The NSA advisory offered the same mitigation methods suggested to combat other potential BlueKeep exploits, including blocking port 3389, disabling remote desktop services if possible and enabling Network Level Authentication (NLA).


Sources: techtarget.com