BlueKeep – patch now to avoid the next WannaCry

Nick Smith Nick Smith

The BlueKeep vulnerability has the potential to be as damaging as WannaCry. Patch now to protect your business.

Last month Microsoft reported a critical vulnerability in the remote access tool, Remote Desktop Protocol (RDP), offering a potential wormable route into computer networks across the globe. Dubbed ‘BlueKeep’, the vulnerability applies to legacy Microsoft systems Windows XP,7, 2003 and 2008. 

Microsoft has released a security patch for the vulnerability (CVE-2019-0708).

BlueKeep is not just theoretical

researcher has developed a module for the penetration testing framework Metasploit, demonstrating a proof of concept BlueKeep exploit to gain local admin access over the user's system. To protect unpatched machines, the module has not been released publicly – but malicious actors are likely to develop an exploit themselves. Due to the seriousness of the threat and the impact of the vulnerability, the likelihood of an attack on an unpatched system is just a matter of time.

Organisations and individuals should patch now to protect themselves.

The situation could prove similar to the WannaCry attacks of May 2017, which cost the NHS alone an estimated £92 million. Despite a patch being released for the vulnerability, many organisations did not install it leading to a worldwide cyber-attack with around 200,000 victims. Surprisingly, – two years on and about 1.7 million devices are still thought to be at risk from WannaCry.

WannaCry was preventable – and so is this

With such widespread inaction to the warnings over WannaCry, concerns have been raised over the speed at which BlueKeep is being addressed. Three weeks after the patch was released, a security researcher has identified at least 900,000 vulnerable machines (the actual figure is likely a lot higher), with the figure decreasing by just 1,000 in a 48 hour time frame.

This slow patching could be poor awareness outside the cyber community, or a lack of understanding of BlueKeep’s severity. But these things escalate quickly and it’s important to act now.

To urge people to take action, Microsoft has twice asked users to patch their systems. The US National Security Agency (NSA) has also got in on the act and released a security alert, listing key measures to take in addition to patching (see below). Help spread the word – a BlueKeep attack is preventable and its time to apply the lessons learned from WannaCry.

The NSA recommendations are to:

  • block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet – this port is used in RDP protocol and will block attempts to establish a connection
  • enable Network Level Authentication – this requires attackers to have valid credentials to perform remote code authentication
  • disable remote desktop services if not required – helps reduce exposure to security vulnerabilities and is a best practice even without the BlueKeep threat.

Help spread the word – a BlueKeep attack is preventable and it's time to apply the lessons learned from WannaCry.