In a recent blogpost, the security team at Microsoft has warned about the rise of BlueKeep vulnerability and has announced that more destructive BlueKeep attacks are on the horizon.
It has urged companies and users to update software and apply patches if they’ve not done it yet.
Microsoft researchers wrote in the post, “Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks”.
They added, “While there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners”.
The attacks, detected recently, used BlueKeep to break into Windows systems that were unpatched and deploy a cryptocurrency miner.
As per Microsoft blog, “Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.”
Geographic distribution of coin miner encounters
Similar to WannaCry, a wormable vulnerability, BlueKeep also has created the risk of a large-scale impact because of its capability to replicate and propagate on computer machines.
WannaCry had caused huge damages and was responsible for approximately $300 million loss at one global enterprise.
BlueKeep has affected some machines as of now, but it won’t take long to hit all, including yours if corrective measures are not immediately taken.
What is Microsoft BlueKeep?
Microsoft BlueKeep is a critical and unauthenticated remote code execution vulnerability in Remote Desktop Services (RDS), CVE-2019-0708, that affects older versions of Windows including Windows 7, Windows XP, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.
Microsoft had released a security fix for it on May 14, 2019.
The Remote Desktop Protocol (RDP) in itself is not vulnerable. This vulnerability requires no pre-authentication or user interaction.
Any future malware exploiting this vulnerability can simply propagate from one vulnerable computer to another in the same way as WannaCry did in 2017.
How can you protect against BlueKeep?
#1 If not needed, disable Remote Desktop Services
As a best practice, disable what you don’t need, including RDS. This will help you be less exposed to security vulnerabilities.
Microsoft recommends that updates for this vulnerability should be installed as early as possible.
“Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised,” Microsoft wrote.
Here are the links to patch your version of OS:
- For Windows 7 SP1 and Windows Server 2008 – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- For Windows XP and Windows Server 2003 – https://support.microsoft.com/en-in/help/4500331/windows-update-kb4500331
You can have these workarounds too to protect yourself:
#2 Systems having Windows 7, Windows Server 2008, and Windows Server 2008 R2 or supported editions should enable Network Level Authentication (NLA)
Enable NLA for blocking unauthenticated attackers from exploiting this vulnerability.
When NLA is turned on, an attacker would need to authenticate to Remote Desktop Services first using a valid account on the target system before he could exploit the vulnerability.
#3 At enterprise perimeter firewall, block TCP port 3389
TCP port 3389 is used for initiating a connection with the component that’s affected.
When you block this port at the network perimeter firewall, systems behind that firewall will get protected from any attempts of exploiting this vulnerability.
This will protect your networks from attacks that start outside the enterprise perimeter.
This is one of the best defenses to avoid internet-based attacks.
However, systems within their enterprise perimeter can still be vulnerable to cyberattacks.
#4 Maintain a backup of your data
Backup and disaster recovery are of utmost importance today in the age of cyberattacks.
They will help you in recovering your data quickly in case of any advanced cyberattacks, man-made or natural disasters.
Cloud-based backup and disaster recovery service – Acronis cloud backup provides end to end, real-time data protection against modern cyber threats like BlueKeep.
Read details in a report by Forrester.
Features of Acronis Backup Cloud:
- Powered by Artificial Intelligence (AI) and machine learning technologies, Acronis can scan systems in real-time and protect them from ransomware.
- In case of an attack, Acronis notifies at the earliest and automatically restores the affected files.
- Acronis protects virtual, hybrid, and physical environments. It is also compatible with mobile devices so you can back up your devices quickly.
- Acronis utilizes Tier-IV, SSAE-16 certified data centers, allowing recovery or data access from Acronis Backup Cloud within seconds.
- Acronis comes with an easy-to-use management and control panel. It enables report generation for cloud backups, set up of auto-agent updates, provides the ability to control backups, infrastructure, cloud, and data.
- Acronis supports leading cloud services including Microsoft Azure and Amazon EC2. This allows for safe cloud transitions.
If you have any doubts, get in touch with us via the comments section
Barkha, the Business Intelligence head, manages organizational workflow, analyzes company’s strategies and refines them. Strategic Consulting, including sales strategies, are her major expertise, and intelligent BI tools are her best friends. She is the bonding force of our team, who plans and regulates each and every step we take.