Patch now to prevent worms burrowing into your networks

As first exploit for BlueKeep is published online, it’s critical to ensure your networks are protected against both new and old vulnerabilities that malware can exploit

Worms. They’re good for the soil in a garden, but they’re certainly not welcome inside an organization’s networks. Network worms can silently dig into a single PC or server on enterprise networks, then spread across it – and any other networks connected to it – without needing any interaction from users. Examples of wormable malware include 2017’s massive WannaCry and NotPetya ransomware campaigns, which highlight just how damaging worms can be.

So it’s critical to update both PCs and servers against the vulnerabilities that worms exploit in order to spread. Back in June this year, the NSA and other national security agencies warned companies to apply patches to eliminate the BlueKeep flaw, which affected around 1 million Windows PCs and servers globally and had the potential to lead to massive malware attacks.

And now two new vulnerabilities have been discovered which share genes with BlueKeep. The new flaws, CVE-2019-1181 and CVE-2019-1182, similarly have the potential to allow an unauthenticated remote attacker to connect to a vulnerable server or PC via the remote desktop protocol (RDP) and execute any code they want on that machine, just like WannaCry or NotPetya – and spread rapidly across networks

However, unlike BlueKeep, these new vulnerabilities are not restricted to older versions of Windows: they also affect more recent versions, including Windows 10 – giving the potential to impact a wider range of organizations. The good news is that there have been no proof-of-concept exploits for the flaws, and they have not been exploited in the wild.

A patch in time

But this doesn’t mean organizations can afford to be complacent: exploits for the flaws will surely be developed with the aim of targeting unpatched networks. Despite the urgent global warnings issued about the BlueKeep flaw over two months ago, it was recently estimated that around 400,000 corporate endpoints were still vulnerable to it.

And the day before the two new vulnerabilities were announced, the Australian Cyber Security Centre warned that a way to exploit the BlueKeep flaw had been published online. As the centre noted: “The disclosure, once made available to the public, is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems.”

• As such, we would recommend that enterprise IT and security teams patch these vulnerabilities urgently, following the instructions in Microsoft’s bulletin. There are also additional protective measures you can take to boost your networks’ security against these potential threats:
  Disable Remote Desktop Services (RDP) on PCs and servers, if they’re not required. This action nullifies BlueKeep and the two new vulnerabilities.
• Block TCP Port 3389 on your firewalls (especially perimeter firewalls exposed to the internet) as this port is used in the RDP protocol. Using AlgoSec’s network security management solution enables IT teams to quickly find out which network firewalls have this port open, and to close off those ports quickly, without affecting business application connectivity.
• Enable Network Level Authentication: doing this means that an attacker needs to have valid credentials to perform remote code authentication, again blocking the ability for an attack to spread.

Finally, as we described in our earlier blog about BlueKeep, network segmentation is an effective security strategy that blocks and limits the ability of any type of malware to spread across corporate networks. AlgoSec’s solution makes it easy to define and enforce segmentation across your entire network infrastructure – whether on premise, in virtual data centers or in the cloud. This reduces your organization’s exposure to all types of cyber-attacks and risks by restricting the lateral movement of hackers or fast-moving worms, safely containing any breach and enabling it to be addressed quickly. By taking these timely preventative actions, you can ensure that attackers don’t get a chance to worm their way into and attack your networks.