What Is BlueKeep?
BlueKeep is a vulnerability that affects older versions of the Microsoft Windows operating system. The threat, also known as CVE-2019-0708, first emerged in 2019 as researchers revealed it had the potential to devastate networks by spreading between computers as a worm. The vulnerability affects operating systems Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows XP.
The BlueKeep vulnerability’s risk is significant as it attacks Windows operating systems’ Remote Desktop Protocol (RDP), which provides a graphical interface to connect computers through a network connection.
BlueKeep was originally limited to researchers modeling the risk, but in November 2019, it emerged that attackers were using it to install cryptocurrency mining code. The attack, discovered by British researcher Kevin Beaumont, was found through honeypots he created to notify of any exploits of the vulnerability. The attacks used a demo exploit code that attempted to install a cryptominer onto unpatched devices. However, they were flawed as they only crashed computers rather than successfully installing the code.
BlueKeep is not the only vulnerability in Windows RDP. More than three dozen security holes, some of which could be vulnerable to remote code execution, have been discovered that could enable attackers to take control of internet and network-facing devices.
Why Should You Care?
The BlueKeep vulnerability offers a potentially significant threat to users that Microsoft has described as “wormable.” This means it could be widely exploited and spread from one computer to another in the same way as the devastating WannaCry ransomware worm. As a result, Microsoft took the unprecedented step of releasing patches for unsupported versions of its operating systems, including Windows Server 2003, Windows Vista, and Windows XP. It also warned people using these Windows versions to update their systems twice in May 2019.
National security agencies also issued warnings about the BlueKeep vulnerability and urged people to update their systems. These include the U.K. agency National Cyber Security Centre (NCSC), the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), and their equivalents in Australia and Germany. These warnings, in conjunction with Microsoft’s patches, signify the serious threat that BlueKeep could pose to internet users.
For example, the NSA’s warning in June 2019 urged Windows administrators and users to use patched and updated operating systems in light of the increased risk posed by the protocol vulnerability. The NSA warned that cyber criminals exploit BlueKeep through software code that targets specific vulnerabilities and that it was “only a matter of time” before a remote exploitation code became available.
The agency also expressed concern that attackers would use BlueKeep in ransomware and kits containing known exploits, which would increase its capability to attack unpatched systems. As a result, the NSA warned everyone to put time and resources into better understanding their networks and ensuring their operating systems were patched.
Does It Affect You?
BlueKeep poses a potential risk that could affect anyone that still uses unsupported Windows operating systems. This effectively means that around 1 million computers connected to the internet could be affected by it. These systems are no longer maintained by Windows and run legacy applications that present a major security risk. That is because unprotected hosts are easily detectable by cyber criminals, who can use tools like Masscan or ZMap to scan the internet for vulnerabilities.
There have been reports that attackers are using port scans to detect potential BlueKeep vulnerabilities on Windows operating systems. These attempts were hidden behind TOR exit nodes, which suggests the potential for more BlueKeep attacks and proves that it is an ongoing risk.
People who are still using unsupported Windows systems could be at risk if they do not update their device to the latest version. Attackers exploiting BlueKeep could hack into a computer without the appropriate patches or updates installed. Failing to update a device leaves a user vulnerable to potential attacks, which could see an attacker steal their data and use it for malicious activity.
The fact that Microsoft has labeled the vulnerability "wormable" means that the threat could spread across the internet without any user interaction. This is indicative of other devastating worms that have infiltrated devices across the internet through unpatched systems and wreaked wide-ranging damage.
For example, the WannaCry crypto-ransomware attack also affected Windows devices. It targeted a weakness in the Windows operating system to install malware through a backdoor called DoublePulsar and spread from computer to computer using an exploit known as EternalBlue. Microsoft released a patch that protected computers from the exploit, but many users and organizations remained exposed, as they did not update their operating systems.
WannaCry encrypted files on a computer and locked users out of their devices, then the attacker demanded a ransom to unlock their data and device. But the impact of the attack was vast, affecting around 230,000 computers all over the world. This included inflicting huge damage on British health provider National Health Service (NHS), which saw ambulances rerouted, appointments canceled, and thousands of surgeries and one-third of its health trusts attacked. The attack is estimated to have cost the NHS up to £92 million.
Furthermore, the spread of ransomware through WannaCry crippled the computer systems across 150 countries worldwide. This had a huge financial impact, estimated at around $4 billion in losses.
The damage caused by WannaCry could have been avoided if people stopped using outdated Windows systems and brushed up their cybersecurity knowledge. And this poses a serious warning for any user or organization that still does not have their systems patched and updated.
What Should You Do About It?
The risk posed by a potential BlueKeep exploit and the lessons learned from previous similar cyberattacks highlight the importance of securing devices that could be affected. Users and businesses can take the following steps to protect themselves from the risk of BlueKeep.
- Patch insecure computers: Failing to update systems leaves users’ data vulnerable to theft, and if the device happens to be a business computer, puts sensitive corporate information at risk. The near 1 million internet-connected Windows 7 or earlier computers are potentially vulnerable to BlueKeep. However, they can be protected by patching the Windows system. Patches for Windows 7 and Windows Server 2008 systems are available here, and patches for earlier systems like Windows Server 2003, Windows Vista, and Windows XP are available here.
- Block vulnerable ports: Users can also prevent the BlueKeep vulnerability by blocking port 3389, which is used by the RDP at firewalls. This port should especially be blocked if devices and the firewall are facing the external internet.
- Disable unnecessary services: Any services that are not required, such as remote desktop services, should be blocked to prevent potential security gaps that attackers could exploit.
- Enable network control: Organizations can enable Network Level Authentication (NLA), which gives them control of users that connect to their systems and prevent unauthorized access to their data and resources. This also helps them block unauthorized users looking to exploit the BlueKeep vulnerability to attack the business.
- Educate users: In addition to patching systems, installing the latest software, and protecting networks, it is also vital to be aware of the latest risks in the cybersecurity threat landscape. Users need to ensure they understand the risks they face and can identify the signs of a potential cyberattack.
How Fortinet Can Help?
Individuals and organizations can protect their systems by enabling automatic software updates and making sure they have the latest patches installed on their systems. However, even this may not be enough to keep their data and systems protected from the most advanced and technically sophisticated cyber threats.
Fortinet helps organizations protect themselves from known and evolving threats with its next-generation firewall (NGFW), FortiGate. An NGFW is crucial to protecting networks and maintaining firewalls, as well as providing deeper inspection of network traffic. This ensures businesses can quickly identify attacks, as well as the presence of malware and ransomware, and block them before they pose a serious risk. It also provides application control, advanced visibility of the attack surface, intrusion prevention, secure sockets layer (SSL) inspection, and web filtering.
Crucially, the Fortinet NGFW solution enables organizations to keep pace with the increasing speed of the threat landscape, which is fueled by trends like colocation and multi-cloud environments. It not only blocks malware and known threats but also provides future updates that enable the organization to protect its network from new and evolving threats.
Further, next-generation firewall solutions inspect traffic at unparalleled hyperscale, speed, and performance, which guarantees that only legitimate traffic can access the network. This also ensures optimal user experience without the risk of costly downtime. They also integrate with the Fortinet artificial intelligence (AI)-powered FortiGuard and FortiSandbox services, which offer further protection against known threats and zero-day attacks.
Discover how Fortinet can help your organization protect your network with next-generation firewalls.