Bluekeep flaw puts nearly one million devices at risk

News by Rene Millman

The worm-like Microsoft bug would need patching immediately

Around one million devices could be vulnerable to a worm-like Microsoft bug, nearly two weeks after a patch was released.

"This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness," said a blog post by researchers at Errata Security.

The flaw, dubbed Bluekeep, was found in Remote Desktop Services and affects older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008.

Errata Security researcher Robert Graham carried out a scan of devices using a tool called Masscan, to find the port (3389) used by Remote Desktop, the one used by Remote Desktop. While this found all open ports, Graham then used a Remote Desktop Protocol scanning project created by the Shadowserver Foundation, to find the million devices vulnerable to Bluekeep.

"The upshot is that these tests confirm roughly 950,000 machines on the public internet are vulnerable to this bug," said Graham. "Hackers are likely to figure out a robust exploit in the next month or two and wreak havoc with these machines."

Kevin Bocek, VP security strategy & threat intelligence at Venafi, told SC Media UK that organisations need to make sure they have full visibility in to possible exploits.

"The rise of HTTPS and encrypted traffic means organisations are blind to many more attacks than they might think. It’s critical to coordinate for full visibility into encrypted traffic, making sure to not be an example of a company where the simple lack of automating digital certificates leads to a major breach," he said.

"The word ‘zero-day’ understandably fills us with dread," Paul Ducklin, senior technologist at Sophos, told SC Media UK, "because it refers to an exploitable hole that is already being attacked but for which no patch yet exists. So don’t turn already-patched holes back into your own personal zero-day situation by not applying patches that do exist! The crooks will not only go looking and find you, but also have the keys to the castle already."

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, told SC Media Uk that it's important to note that this vulnerability affects deprecated operating systems, such as Windows XP and Windows Server 2003. Windows XP is almost 19 years old, and Windows Server is 16 years old.

"For most organisations, systems running these operating systems will make up a minority. The best way to protect deprecated systems is to upgrade to a new version of windows which has been patched. Significantly, this vulnerability is exploited via Remote Desktop Protocol, but is not a vulnerability in Remote Desk Protocol. This means that vulnerable systems must have an internet facing Remote Desk Protocol service to be exploitable. If you are unable to upgrade to a supported version of Windows, it's essential to limit exposure of such systems," she said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop