NSA Urges Microsoft Administrators and Users to Patch Now for 'Wormable' Windows Exploit
he National Security Agency (NSA) issued a cybersecurity advisory on June 4, 2019, regarding the legacy Windows OS vulnerability identified in last month’s Patch Tuesday. Based on recent warnings by Microsoft, NSA is urging Microsoft Windows Administrators and users to ensure they are using a patched and updated system in the face of growing threats.
CVE-2019-0708, dubbed “BlueKeep,” is a critical fix for a malicious vulnerability for Remote Desktop Services that impacts legacy versions of consumer and enterprise Windows. It’s been two weeks since Microsoft issued this patch, and both Microsoft and the NSA report that potentially a million devices are still vulnerable to this newly discovered attack. Unpatched versions of Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008 R2 are at risk.
As we shared in a recent blog, Microsoft has warned that this flaw is potentially “wormable,” and requires no user intervention to activate, allowing a malicious file to spread rapidly from machine to machine - much like WannaCry. Citing the events leading up to the start of the WannaCry attacks, Microsoft warns that only two months passed between the release of the fixes for the EternalBlue vulnerability and when ransomware and other attacks began.
While there are no reports of this vulnerability being weaponized (yet), several security research labs have confirmed they have developed successful proof of concept exploits — these labs include Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek. Additionally, significant scanning activity was detected for the BlueKeep RDP flaw in the last several days.
While Microsoft claims there has been no sign of a worm yet, it is confident that new malware implementing the exploit is likely. The NSA cybersecurity advisory cites some precautionary measures to increase your resilience against the possible threat as you manage and update your legacy Windows devices:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- Disable Remote Desktop Services (RDS) if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat. View our worklet on how to do this in the Automox console.
What We Recommend
As with all potentially harmful vulnerabilities, the key to minimizing your exposure is to present a smaller, more difficult target to hit. We are urging all organizations to take inventory of their legacy Windows XP and Windows 7 devices and ensure the available patch is applied.
For additional information on how to manage these patch updates in the Automox console, check out our recent blog on how to manage legacy Windows OS updates. We also offer instruction on how to deploy an emergency patch to update Windows XP via a custom policy in Automox.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.