Remember WannaCry, the global outbreak which brought ransomware to mainstream attention back in 2017? Cybercriminals used the EternalBlue exploit to cause substantial damages to businesses worldwide, especially those with poor security and patching practices.
Have people learned their lessons? The answer has to be a resounding no, based on recent reports that show a large number of systems have not patched a hackable vulnerability in Microsoft’s Remote Desktop Protocol (RDP).
The security vulnerability, called BlueKeep, affects computers running Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. It allows hackers to remotely take over devices running affected operating systems (OS), potentially triggering another major malware outbreak. Andrew Brant, Principal Researcher at Sophos, explained that “BlueKeep is a “remote code execution” vulnerability, which means that the attacker could, in theory, execute any command on the machine with administrative privileges.”
Earlier this month, Andrew shared a video on SophosLabs Uncut about a proof-of-concept BlueKeep attack developed by SophosLabs’ Offensive Research team which demonstrated one of several different ways an exploit could be weaponised to provide an unauthenticated attacker full control over a target computer. (The video and related article can be viewed HERE.)
What makes the vulnerability so dangerous is that it could be initiated without having to deploy any malware, meaning that a hacker could take full control of a remote system without requiring a single click from its owner. Andrew added that “An attacker successfully exploiting BlueKeep the way we demonstrated in our video could do anything they wanted to do. The potential for risk is as far as these hypothetical attackers’ imaginations can take them.”
Excuse Me, Your Vulnerability Is Showing
One article by Wired.com shared how security researcher Rob Graham scanned the entire public internet for BlueKeep-vulnerable machines and found over 900,000 unpatched machines that were exposed to potential attacks. Looking at it from a different perspective, we asked Andrew whether we should be worried that anyone, whether they are researchers or even threat actors, are able to scan for vulnerable computers so freely.
In his view, “It should not be worrying that anyone can scan the internet freely. After all, the internet was designed to permit any machine to “talk to” any other machine.” Nevertheless, he added that what is concerning is the volume of machines or networks, vulnerable to a variety of attacks, that are reachable via the public internet, through firewalls in many cases. “This speaks to a lack of attention to the problem by people who are ostensibly in charge of those networks.”
“In other fields, there are requirements such as a “duty of care” in medicine, or a fiduciary responsibility in finance. To our detriment, there is no legally enforceable “duty to keep secure” imposed upon network administrators of organisations of any size, and certainly, there’s no practical way to enforce such a requirement upon anyone who runs an internet connection from their home, for example,” he continued.
Andrew explained that OS fingerprinting and port scanning is an essential preliminary step for both penetration testers (who assess existing security measures on behalf of network owners) and would-be attackers (who do the same thing, for their own purposes).
“Routine scans with tools such as NMAP (Network Mapper) can reveal open firewall ports and the services running behind them; Attackers performing these routine scans may discover systems that are vulnerable to one or more exploits. They may then leverage other open-source penetration testing tools in an attempt to gain access. Using NMAP, for example, is not especially technical or sophisticated, and the risks of “security through obscurity” have been well established, namely that merely moving services to nonstandard ports offers no real security whatsoever,” he said.
Therefore, Andrew suggested that organisations that want to prevent this information from being disclosed must observe the basic security guidelines that are readily accessible to them. For instance, to close open ports in the firewall, or require that only authorised users access them (over a VPN connection, for example); and perform their own regular, frequent assessments of what the outside of their network perimeter looks like to an adversary, so they can target internal resources efficiently towards closing loopholes.
No Two Ways About It - Patch Your Systems!
Back to the shockingly high number of discoverable unpatched systems, while we understand that there may be reasons why organisations just can’t patch certain systems, at the end of the day, installing the essential updates and patches may be the only way to avoid much bigger security problems later on.
However, if the root cause of the problem for your organisation is the existence of invisible networks, or large numbers of unregistered devices connected to your network – then that is a problem that must be rectified sooner, rather than later. As Andrew put it, “Organisations must maintain situational awareness about what is connected to their network, and be able to answer the question of why any given device is connected and whether that satisfies a business need whose weight is equal or greater to the risk having such a device poses to the organisation.”
He added, “If some of those devices cannot be updated or must remain in a state that is vulnerable to attack, it is crucial that network admins are aware of this, and do what they can to isolate those machines from the rest of the network AND from the public-facing internet, so they do not pose a security risk to the rest of the organisation.”
But seeing as how, two years on, there are still systems that are unpatched from WannaCry, we can’t help but brace ourselves for a major outbreak that exploits the BlueKeep RDP Vulnerability to hit the headlines over the horizon.