1 Million Windows Devices 'Vulnerable to Remote Desktop Flaw'Security Researcher Warns That Flaw Could Lead to Worm-Like Exploit
A security researcher warns that nearly 1 million devices running older versions of Microsoft Windows remain vulnerable to a recently discovered flaw in Microsoft's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over unpatched machines.
Even though Microsoft issued a fix for this flaw, which is called BlueKeep, for its Patch Tuesday update on May 14, some 950,000 unpatched devices running older Windows operating systems remain vulnerable to it, Robert Graham of the security firm Errata Security writes in a blog published Tuesday.
Although Microsoft says it's seen no evidence of the flaw being exploited in the wild, Graham warns attackers could develop a robust exploit within the coming weeks, which makes patching urgent.
The vulnerability, listed as CVE-2019-0708, was first spotted by the U.K.'s National Cyber Security Center. If exploited, an attacker could "execute arbitrary code on the target system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," according to Microsoft's May 14 alert.
The flaw affects many older versions of the company's operating system, including Windows XP, Windows 7, Windows 2003 and Windows Server 2008, the company notes. Newer versions of Windows, including Windows 8 and Windows 10, are not affected.
And while Microsoft issued a patch for these older systems on May 14, Graham warns that nearly 1 million unpatched devices remain vulnerable to the flaw. As a result, attackers could create a worm-like exploit reminiscent of the WannaCry or NotPetya ransomware incidents of 2017 (see: After 2 Years, WannaCry Remains a Threat).
After scanning, debugging the scanner, and rescanning, my official verdict is 950,000 machines vulnerable to BlueKeep (CVE-2019-0708) on the public Internet.https://t.co/W9DApkfK66— Robᵇᵉᵗᵒ Graham (@ErrataRob) May 28, 2019
"That means when the worm hits, it'll likely compromise those million devices," Graham writes. "This will likely lead to an event as damaging as WannaCry and NotPetya from 2017 - potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness."
In a May 14 post, Microsoft warned that because the BlueKeep vulnerability does not require user interaction, an exploit could spread malware from one vulnerable machine to another within a network in the same way that the WannaCry ransomware is "wormable."
"While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware," Microsoft says.
Security firm GreyNoise Intelligence warned on Friday that at least one threat actor is scanning networks looking for systems that are vulnerable to BlueKeep.
GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor. pic.twitter.com/iGwuGuD4Rq— GreyNoise Intelligence (@GreyNoiseIO) May 25, 2019
ZDNet reports that several other cybersecurity firms, including Zerodium, McAfee, Kaspersky, Check Point, MalwareTech and Valthek, have developed exploits for BlueKeep but are keeping those private. This demonstrates, however, that a determined attacker could take advantage of the vulnerability.
Scanning for Vulnerabilities
For his research, Graham used a masscan internet port scanner tool to search for any open ports - in this case port 3389 - that are used by Microsoft's Remote Desktop Protocol service. It's through these open ports that an attacker could exploit the BlueKeep flaw.
At first, Graham's scan found more than 7 million devices using port 3389 for Remote Desktop Protocol. After checking for honeypots and eliminating systems that had already been patched, he concluded that "roughly 950,000 machines are on the public Internet that are vulnerable to this bug."
Graham predicts that attackers are likely to create a robust exploit for this vulnerability within the next month or two.
In his blog post, Graham warned large enterprises to fix security issues related to PsExec - a command-line tool that enables IT administrators to execute processes on remote systems. It's through this tool that a worm can spread throughout the entire network from one infected machine.
"You may have only one old WinXP machine that's vulnerable, that you don't care if it gets infected with ransomware. But that machine may have a Domain Admin logged in, so that when the worm breaks in, it grabs those credentials and uses them to log onto the Domain Controller," Graham writes. "Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln."