New research from BitSight indicates the BlueKeep vulnerability could prove more serious than EternalBlue, the vulnerability that was exploited by the WannaCry attacks. And the global head of cyber research at a leading security vendor believes an attack exploiting BlueKeep is now only weeks away.
Microsoft has been warning users to update their systems in mitigation against a critical Remote Code Execution vulnerability (CVE-2019-0708 ), which has become known as BlueKeep, since 14 May. The United States National Security Agency (NSA) even took the highly unusual step of issuing an advisory that spoke of a devastating and wide-ranging impact were enterprises to ignore the update advice. Yet ignore those warnings is exactly what far too many enterprises appear to be doing.
New research published today by BitSight reveals not only the scale of the enterprise exposure to BlueKeep, but also how not learning the patching lessons post-WannaCry could lead to an even more catastrophic event in this case.
It wasn't just the NSA jumping into the 'patch now' debate that was unusual as far as the BlueKeep scenario is concerned; Microsoft determined the risk was so great that it provided fixes for long since 'end of life' rated operating systems in Windows XP and Windows Server 2003. Yet when BitSight incorporated the tool created by information security professional Robert Graham to check for vulnerable systems into it's own Internet scanning platform, it found that nearly a month after the public disclosure and availability of patches, close to one million vulnerable systems remain exposed to the Internet. And that's only the ones that are visible.
BitSight senior security researcher, and co-author of the report in question, Luis Grangeia, told SC Media UK that the one million figure can best be thought of as "one million potential beachheads into internal networks when attempting to quantify the total systems at risk." Once the worm achieves initial access, it would be able to leverage many more techniques to move laterally within any network and expand access to additional systems. "Even if there is no other system running Remote Desktop Protocol behind the firewall," Grangeia continues, "after a machine from an Active Directory Domain is compromised it is usually easy to move laterally and infect other machines in the same domain without leveraging any exploits."
BitSight also found that telecommunications, education and technology companies are the most impacted by the BlueKeep vulnerability. Unsurprisingly so, as in the case of telecommunications companies for example, it's not unusual for them to host end-customer systems that cannot be upgraded by themselves.
It's when digging into the data, and comparing the number of exposed systems immediately before BlueKeep and WannaCry were acknowledged and patched by Microsoft, that things get a little scary. "We can see that the situation is very comparable in terms of exposed systems, with BlueKeep having a larger number of exposed systems at the time of bug announcement and patch release" the report reveals.
But there's a difference between exposure to risk and that risk being realised by an exploit of the BlueKeep vulnerability. "While there are no reports of mass exploitation or worms in the wild," Grangeia confirms, "proof of concept exploits have been developed and demonstrated by security companies." There is also an unconfirmed report of an exploit for this vulnerability being sold in the black market as early as September 2018, Grangeia told SC Media UK. "Microsoft also states their confidence in the existence of an exploit for this vulnerability," Grangeia pointed out, something that the NSA intervention would appear to confirm.
Just because we haven't seen an exploit in the wild, that doesn't mean a motivated actor hasn't developed one. Why burn an exploit with a destructive worm when exploiting BlueKeep silently could be far more profitable? "While the lack of availability of an exploit may deter opportunist attackers from creating and deploying a destructive worm," Grangeia agrees, "it shouldn’t be a factor when deciding to spend resources patching the issue, as was recommended by Microsoft and the NSA."
SC Media UK also spoke to Yaniv Balmas, the global head of cyber-research at Check Point. "In our opinion it is now a race against the clock by cyber-criminals which makes this vulnerability a ticking cyber- bomb," he said, adding "the way from a crashing proof of concept to a weaponised tool is hard but doable, and it is our belief it may be a matter of weeks until we see attackers misusing this vulnerability..."