Two weeks ago, Windows announced that a vulnerability had been discovered in Windows XP, Windows 7 and other older Windows systems. The vulnerability, named BlueKeep, is in Remote Desktop Services, and is potentially wormable. This means that it could be used to launch a piece of malware that self-propagates between systems containing the same vulnerability.
Windows made a patch available on May 14, and advised users and companies using the affected systems that it was important to install this patch as soon as possible.
Possible cybercriminal activity
And now, threat actors have been detected scanning the Internet for systems containing this vulnerability. Because of these warnings and how dangerous BlueKeep could be, the IT security community has been monitoring the vulnerability for signs of attacks or PoC (proof of concept) demos that could be used to create BlueKeep exploits.
While no researchers have published any exploits for this vulnerability, several organizations have confirmed that they have successfully developed BlueKeep exploits, which they will keep private, so as not to facilitate their use in cyberattacks.
Days later, on May 24, the threat intelligence company GreyNoise announced that it had started to detect scans that were looking for Windows systems with the BlueKeep vulnerability. It is believed that this activity is being produced by a single cyberattacker.
For now, these are just scans, and no attempt has been made to exploit the vulnerability. However, the fact that an attacker is dedicating time and resources to compiling lists of vulnerable devices suggests that it is likely that an attack is being prepared. And with an estimated total of one million vulnerable devices, this attack could have devastating consequences.
Since at least six organizations have developed exploits for BlueKeep, and there are at least two very detailed reports about the vulnerability, it is just a matter of time before cyberattackers manage to develop their own exploits.
The danger of vulnerabilities
The list of cyberattacks that have been made possible by vulnerabilities is extensive. The most notorious attack of the last few years, WannaCry, was made possible thanks to a Windows vulnerability called EternalBlue. The vulnerabilities EternalBlue and BlueKeep have something in common: both can be used to spread computer worms. This fact has got cybersecurity professionals worried; it means that, in theory, BlueKeep could be used in a cyberattack with similar dimensions to WannaCry.
Not long ago, EternalBlue was behind another major cyberattack. The City of Baltimore was hit by a ransomware attack that took out large parts of the city hall’s IT systems. Over three weeks later, the city is still trying to recover its systems. And according to The New York Times, the cause of this attack is EternalBlue.
And what is the worst thing about these two cases? Almost two months before the WannaCry attacks, Microsoft had published a patch to fix EternalBlue, and those computers that had installed it were not affected. And the fact that Baltimore was affected in the same way, two years after the publication of the patch, is startling proof of how important security updates are. It is also proof of a lack of time and resources dedicated to monitoring vulnerabilities and patch updates.
How to protect against BlueKeep
Although it is just scanning for the time being, it is vital to close this vulnerability, given the likelihood of it being used in a real attack. When the vulnerability was discovered, Microsoft launched a patch for the affected systems, including Windows XP, Windows 7 and Windows Server 2008. This patch needs to be installed as soon as possible.
To protect against any cyberthreat, it is important to have an advanced cybersecurity solution. Panda Adaptive Defense provides complete visibility of all activity on the network, so that you know exactly what is happening at all times.
It also has an additional module, Panda Patch Management, which requires no additional deployment from the client, and not only provides patches and updates for operating systems, but also for hundreds of third party applications. Panda Patch Management audits, monitors, and prioritizes updates for operating systems and applications, all from a single panel. What’s more, it is also able to contain and mitigate attacks that exploit vulnerabilities, applying a constant critical update policy to detect any possible threat, even before it becomes dangerous.