How to Avoid the BlueKeep Blues

Protect your networks against the most significant vulnerability seen in 2019 … so far

An ounce of prevention is better than a pound of cure, as Benjamin Franklin observed.  That’s why the US National Security Agency (NSA) has urged network managers and administrators globally to ensure they patch and update their systems, to mitigate the risk from a major vulnerability that was recently discovered. 

The flaw, named ‘BlueKeep’ (CVE-2019-0708), affects an estimated 1 million machines worldwide that are accessible to the public internet, with many times this number within organizations’ internal networks.  It affects Windows 7, Windows Server 2003 & 2008 and Windows XP; newer versions of Windows are not affected.  It was first reported by the UK’s National Cybersecurity Center, and patches were immediately developed and released to fix the flaw.  Problem solved, you would think.  Unfortunately, the scale of the risk from BlueKeep means the danger is far from over.

The reason for this is that BlueKeep could allow a remote attacker to connect to a vulnerable server or PC via the remote desktop protocol (RDP) and execute arbitrary code on the machine — without any user interaction. In other words, it is potentially ‘wormable,’ meaning that the code can spread via the flaw both across the Internet and within internal networks without requiring any user interaction. 

As a result, one single vulnerable machine can infect an entire network, and then all infected computers with access to the Internet can infect other vulnerable devices worldwide – meaning the attack can spread and grow exponentially, at an unstoppable pace.  If BlueKeep is exploited by criminals, it could lead to cyberattacks on the scale of 2017’s massive WannaCry and NotPetya ransomware campaigns, which caused widespread damage globally on unpatched systems. 

At this point, it’s important to note that BlueKeep has not yet been exploited in the wild.  The only known exploits have been developed by security vendors’ research teams.  However, it’s wise to not be complacent:  in 2017, it took less than three months from the disclosure of the ‘EternalBlue’ vulnerability to the first wave of WannaCry ransomware attacks which exploited the flaw.  And with so many unpatched machines globally, it’s a certain bet that criminals are hard at work in developing exploits for BlueKeep, with criminal gains in mind.

Blocking BlueKeep

So, we support the NSA’s call for organizations’ IT and security teams “to invest the time and resources to know your network and run supported operating systems with the latest patches.” To check and patch your systems, a good starting point is the NSA’s advisory document, which details the relevant patches that fix vulnerable systems.  There are additional measures that you can take, too, to increase your networks’ resilience against this threat. These are:

• Disable Remote Desktop Services (RDP) on PCs and servers, if they are not required. Disabling unused and unneeded services cuts exposure to security vulnerabilities generally, and is recommended best-practice against a range of threats, not just BlueKeep
• Block TCP Port 3389 at your firewalls, especially on perimeter firewalls exposed to the internet, as this port is used in the RDP protocol.  AlgoSec’s solution enables organizations to quickly establish which network firewalls may have this port open, and to close off those ports quickly and automatically, without impacting wider business application connectivity
• Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.

Finally, the risk of fast-spreading malware spreading laterally across networks is a timely reminder that network segmentation is an extremely effective preventative strategy.  A robust segmentation scheme blocks the spread of malware, and stops it accessing network shares and resources which store sensitive business or customer data.  AlgoSec makes it easy to define and enforce segmentation throughout your network, and ensures that your existing network security policy does not violate your network segmentation strategy. AlgoSec proactively checks every proposed firewall rule change request against your segmentation strategy to ensure that it meets compliance requirements and that it doesn’t block critical business services or introduce risk. Find out more about how segmentation can boost your organization’s security posture here.