News

Microsoft Warns of Heightened Threat of 'BlueKeep' Attacks

Older Windows systems using Microsoft's Remote Desktop Services are at acute risk of remote code execution attacks due to the "BlueKeep" vulnerability, Microsoft recently warned.

According to Microsoft, BlueKeep (CVE-2019-0708) exploit code is now "widely available" for use by attackers. The vulnerability potentially affects Windows 7, Windows Server 2008 and Windows Server 2008 R2, as well as the older and unsupported Windows XP and Windows Server 2003 systems. 

Microsoft had issued patches for all of those systems back in May, but it also warned back then that possible worm-like infections could spread worldwide should systems go unpatched. A successful exploit could give attackers "access to all user credentials used on the RDP system," Microsoft's announcement on Thursday explained.

Organizations using Remote Desktop Services on those Windows systems should apply the patch for the vulnerability. They should also protect the system's Remote Desktop Protocol "listener."

"If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway," Microsoft advised in the announcement.

Organizations should also enable network-level authentication (NLA), which will block attackers lacking authentication credentials, according to the announcement:

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

There are "more than 400,000 endpoints" that currently lack "any form of network level authentication," Microsoft's announcement indicated. That finding is based on Windows "telemetry" information that gets sent back to Microsoft.

Back in July, security ratings company BitSight reported that about 805,665 systems were vulnerable to BlueKeep, based on its May 31 data. Using July 23 measurements, BitSight reported this month that about 788,214 systems still remained vulnerable. In other words, about 81 percent of the systems observed back on May 31 still aren't patched.

Telecommunications companies are by far the most exposed organizations to BlueKeep. Other vulnerable sectors include education, technology, government and utilities, according to BitSight.

Security researcher Kevin Beaumont noted in an Aug. 6 Twitter post that security solutions company NCC Group shared a BlueKeep exploit with its consultants. An exploit was publicly demonstrated at the 2019 Security Development Conference in China, he noted in a July Twitter post, and one exploit was even offered up for sale by a U.S. company, he noted.

In addition to patching BlueKeep, Microsoft recently described addressing a so-called "poisoned RDP" vulnerability (CVE-2019-0887) associated with Remote Desktop Services that it patched back in July.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.