On May 14, 2019, Microsoft published an advisory for a newly discovered remote code execution vulnerability. Given the identifier CVE-2019-0708, the vulnerability has been more popularly named "BlueKeep".
Affecting devices, clients, and servers running Microsoft’s Windows 7, Windows Server 2008, Windows Server 2003, Windows XP, and embedded variations, the vulnerability opens the door to potentially unauthorized remote code execution. More specifically, provided a device's remote desktop service (RDP) is enabled and TCP port 3389 is accessible, the RDP pre-authentication process can be usurped to execute arbitrary code without user interaction. Worse still, like the WannaCry attack that came two years earlier, a BlueKeep exploit is "wormable" — meaning that it can quickly jump from device to device to spread across wider network ecosystems.
CyberMDX field statistics show BlueKeep affecting just over 15% of a typical hospital's TOTAL connected device inventory; the proportion of affected MEDICAL devices is even higher, hovering around 70% — bursting the attack surface wide open.
With instructions to exploit the BlueKeep vulnerability being released to the internet as early as May 15, 2019, it's looking more and more like the latest WannaCry-level threat. The exposure and impact potential is considered so grave that it prompted Microsoft to take the unusual step of issuing patches for legacy operating systems that it no longer officially supports.
Needless to say, urgent action should be taken to protect your organization, its assets, and its patients.
Steps to Protect Against the BlueKeep Vulnerability
There are a number of immediate actions that can and should be taken to mitigate the BlueKeep vulnerability. These include:
- Applying the following patches to affected devices –
- Enlisting available network scanning technologies and configuring scan parameters to include TCP port 3389. (In large, distributed technology environments, the most difficult part of protecting against BlueKeep will be quickly and completely identifying and locating the affected devices. To that effect, this step can provide a tremendous boost.)
- Closing TCP port 3389 of any affected devices for which RDP-enablement is not essential.
- Implementing network level authentication (NLA) wherever possible on systems for which RDP-enablement is maintained.
- Utilizing RDP gateways (on patched workstation) to hold and authenticate requests for externally originating RDP sessions before passing them through to your internal network.
With such a large percentage of your fleet affected, you will likely need to prioritize your efforts. Devices most critical to care should be attended to first, followed by devices most critical to operational efficiency, and then devices in the largest, most permissive VLANs. Within these groups, the devices that present the quickest paths to resolution should be given priority. The idea is so that you don't waste time working on one tricky problem when you could be solving 10 equally consequential problems.
Some assets might restrict you to patches independently validated and issued via the device manufacturer. For those devices you'll want to implement steps 2-5 above and then reach out to the manufacturer. While you await further instructions and/or patches from the manufacturers, you'll continue working through your prioritized list of affected devices.
The Threat Is Not Theoretical
While the above steps may seem onerous, it's imperative that they be taken. The threat is not theoretical, it's actual. In fact, researchers have been so consistently certain of eventual real-world BlueKeep fallout that already in July articles were being written to explain why an attack hadn't yet occurred.
After a workable exploit module was publicly released to Metasploit in September, security experts have warned that an attack would only be a matter of time. Some bad actor somewhere would look to take advantage of the vulnerability and in so doing possibly unleash a global threat of a magnitude unseen since NotPetya.
On November 2, we got our first glimpse of the much anticipated attack. Marcus Hutchins (yes, that same Marcus Hutchins) tweeted that while investigating the persistent mass crashing/rebooting of machines in an EternalPot RDP honeypot network, he found "BlueKeep artifacts in memory and shellcode [used]to drop a Monero Miner." The owner of that honeypot network, himself a security researcher, later clarified that signs of an attack first manifested on October 23.
The "Monero Miner" mentioned in Hutchins' tweet explains the motive for the attack, with a script being installed on affected devices that hijacks processing power to mine the cryptocurrency Monero. Thankfully this first encounter has proven less devastating than feared. The less vicious nature of this BlueKeep attack is largely due to the fact that it's non-wormable. A wormable version of the attack would be much more dangerous and would require a more custom-crafted exploit chain.
That said, as of now, there are still believed to be more than 724,000 systems worldwide susceptible to BlueKeep. It should be abundantly clear that the time to act and take protective measures is now; before news of the next, and likely much more catastrophic, attack breaks.
The more generally secure, smartly architectured, and well governed you keep your connected technology ecosystem, the easier it will be for you side-step most threats and effectively mitigate those that can't be avoided. To this end, it's important that you:
- Conduct staff-wide cyber education and training.
- Digitally inventory your device fleet – including hardware, OS, software, and network configuration details.
- Map out and micro-segment the distinct use and risk groups within your network.
- Employ strong password management.
- Use end-to-end encryption.
- Use your fully itemized digital inventory to track and implement relevant software updates and patches. (For example, a comprehensive digital inventory can be used to rapidly and confidently identify and locate all the devices within your deployment that are affected by BlueKeep – making mitigation a lot quicker and more straight-forward.)
- Preemptively disable or block traffic to ports that will not be used in the course of a device's intended operations.
- Continuously monitor network traffic for abnormalities or signs of danger.
- Enact strong, role-based access controls.
That's a long list to be sure, and it's by no means exhaustive. Cybersecurity is always evolving and changing and while we can't say with any degree of certainly what tomorrow will bring, one thing is clear — the number of known vulnerabilities with which organizations must contend will continue to grow. BlueKeep is only the most recent in a long line of discoveries. Still, given the breadth of exposure as well as the accessibility and destructive potential of an exploit, it is paramount that you act now to protect against BlueKeep.
Keeping your hospital running safely, securely, and efficiently will not be easy, but it's hard to think of a job more worthy of your efforts.
Update [11/05/2019]: Article updated with information on the first known BlueKeep attack in the wild.