The BlueKeep vulnerability brings back memories of WannaCry

BlueKeep affects older operating systems: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows XP, and Windows Server 2003. Newer versions are not vulnerable.

Windows 7 and Windows Server 2008 R2 are still widely used, particularly in industrial environments and OT (Operational Technology). Critical infrastructure entities and manufacturers should pay special attention to the warnings regarding the risks associated with this vulnerability.

The BlueKeep vulnerability can allow an unauthenticated remote user (attacker) to connect to a Windows server via Remote Desktop Protocol (RDP) and execute arbitrary code on the remote server – without user interaction.

This vulnerability is also marked as “wormable,” meaning it is susceptible to further attacks. An attacker could exploit BlueKeep to gain access to an organization’s network, which would be the first step of the attack, and then move quickly across the victim’s network. In subsequent steps, the attacker could deploy other types of malware or gain access to sensitive enterprise data.

Since Microsoft first reported the discovery of the vulnerability, several “Proof of Concept” (PoC) exploits have been published. There’s even a bot on Twitter tracking each of them, but so far, no widespread or targeted attacks exploiting the BlueKeep vulnerability have been reported.

However, with PoC exploits already available, commercial, paid exploits may be lurking just around the corner. In this case, widespread attacks using the BlueKeep vulnerability are becoming increasingly likely, and they are approaching rapidly.

Due to the similarity to the vulnerabilities exploited in the WannaCry ransomware attack, organizations should be very concerned about the BlueKeep vulnerability. This is likely what prompted Microsoft to release patches for versions of systems no longer supported. The last time they did so was because vulnerabilities in the server (SMB) were exploited in the WannaCry attack. (The global ransomware outbreak occurred exactly two years ago on May 12, 2017. For organizations that didn’t learn their lesson the first time, BlueKeep may soon show how well they have done in terms of improving protection against cyberattacks).

Skybox can help by identifying platforms vulnerable to BlueKeep through the patch management system (SCCM) Microsoft System Center Configuration Manager (or an equivalent patch management system), even without using an active vulnerability scanner.

To assess the exposure of resources, the Access Analyzer feature in Skybox Network Assurance can test whether RDP ports are accessible from the internet. Skybox’s analytical logic also takes into account security-enhancing solutions such as firewalls and IPS systems to determine which devices are vulnerable and which are protected from potential attacks.

The ability to quickly verify assumptions made regarding access policies is crucial. As seen with SMB ports during the WannaCry incident, users were unaware that these ports were publicly accessible within their networks. By automating access analysis, clients can check if their network access is compliant with internal policies or if there are any breaches. This also enables effective management of remediation actions within the network.

In the case of BlueKeep events detected by third-party scanners, Skybox can provide valuable network context and assign priorities to the vulnerabilities that should be addressed first.

Skybox attack simulations analyze network paths to highlight vulnerable assets exposed to potential threats, including those located on the internet. The exposure factor takes into account the criticality of the asset (or the system it resides on), ensuring that remedial actions are prioritized and focused on reducing risks quickly.

While remedial actions for resources directly exposed to threats receive the highest priority, Skybox also calculates the potential for compromise via lateral network movement, as seen in multi-stage attacks. Indirect exposures are also reflected in the priorities for remediation.

Clients should immediately apply the appropriate Microsoft updates. If the patches cannot be deployed right away, Skybox will also suggest other possible ways to mitigate the risk, often unique to each environment, to protect sensitive resources using other available technologies or methods.