Microsoft Windows Remote Desktop Protocol vulnerability: Bluekeep
INSIGHT ARTICLE |
CVE-2019-0708 is a critical vulnerability released as part of the May 2019 “Patch Tuesday” from Microsoft. This vulnerability is gaining enormous attention from the offensive security community, as it is exploitable pre-authentication (without user interaction or credentials), and allows for remote code execution (RCE) on the native Windows Remote Desktop Protocol, commonly known as RDP.
This combination of attributes indicates that the vulnerability is a prime candidate for future ransomware worms, similar to the WannaCry infections that took the world by storm in 2017. While a publically available proof of concept (PoC) has not been identified through our research at the time of this posting, researchers are working to reverse-engineer the Microsoft patch and active exploitation is likely imminent.
Note: According to Microsoft, this vulnerability affects Windows-based operating systems through Windows 7 and Windows Server 2008 R2. Windows 8/10 and Windows Server 2012 and up are not affected. Due to the severity of this vulnerability, Microsoft1 has provided patches for Windows XP and Windows Server 2003 in addition to supported operating systems (Windows 7, Windows Server 2008 and 2008 R2).
All organizations should consider their exposure to this vulnerability, but we would like to highlight a few areas where the impact of this vulnerability is considered particularly high-risk:
Internet access—externally facing systems
If your organization has any affected systems that expose RDP to the internet2, you will be targeted by this exploit. Threat actors are constantly scanning the internet for devices vulnerable to other similar exploits, such as MS-17-010 (WannaCry). Once a PoC is publically available, it is likely to spread rapidly across unpatched internet-exposed systems, just like the initial WannaCry outbreak. Unfortunately, attackers have also learned new tricks for lateral movement since the WannaCry outbreak.
If your organization reuses local administrator passwords, does not patch consistently, or does not have mature detection and mitigation capabilities for memory-dumping tools (e.g., Mimikatz), you may fall victim to a ransomware outbreak that extends far beyond systems vulnerable to MS-2019-0708. For further information on this topic, we recommend reviewing publically available reporting on the ransomware outbreak that is still affecting Norsk Hydro3, a Norwegian aluminum and renewable energy company.
Internal network access—RDP enabled by default
Even if your organization does not have affected systems that expose RDP to the internet, this vulnerability can prove to be a potent mechanism for moving throughout your environment. RDP is enabled by default configuration on Windows devices, so if your team has not actively disabled the service you may have a number of exposed systems internally.
Process control networks—incident command system (ICS)/industrial internet of things (IIoT)/supervisory control and data acquisition (SCADA)
We commonly see process control personnel managing systems through remote desktop protocols. Sometimes we see alternatives to RDP, such as VNC Viewer or TeamViewer. Regardless, RDP is often enabled and accessible on process control network (PCN) devices from the internal organization network. Patching on PCNs is often sporadic or delayed, and unsupported Windows operating systems are pervasive in these environments. Segmentation between the greater internal network and PCNs is commonly inadequate. Attackers may infer these additional weaknesses and specifically target PCNs using this vulnerability.
Payment card industry compliance—targeting point-of-sale devices
Increasingly, attackers are targeting point-of-sale (PoS) systems over RDP to gain access to cardholder data or affect the cardholder data environment (CDE). Commonly, these techniques leverage default credentials on PoS systems to gain RDP access. Because this vulnerability does not require authentication, it will further enhance techniques that target RDP services on PoS devices. If your organization is governed by the Payment Card Industry Data Security Standards (PCI DSS) and uses vulnerable PoS devices, and those devices allow access to cardholder data or affect the CDE, your organization will be out of compliance with PCI standards and may face substantial fines and penalties from the PCI Council.
There are a number of steps your organization can take to mitigate this vulnerability. While best practice is to immediately patch all affected systems, we recognize this may not be feasible for all systems. The following recommendations can provide additional mitigation for CVE-2019-0708:
- Identify where RDP is being used. Windows enables RDP by default, so if you have not intentionally disabled RDP it would be enabled on all Windows systems. You can also identify where RDP is actively being used by looking at your logs for the Event ID (EID) 21, 23, 24 and 25.
- Disable the RDP service on systems where RDP access is unnecessary. This solution completely mitigates the vulnerability where implemented.
- Restrict/block RDP access through network firewalls or host-based firewalls. This solution is particularly helpful for border firewalls and internet-exposed systems. While this solution does not directly mitigate the vulnerability, it should protect devices behind properly configured firewalls.
- Enable network-level authentication on Windows 7 and Server 2008/2008 R2 systems to require valid credentials before the vulnerability can be exploited. This mitigation was provided directly by Microsoft and independently confirmed as effective by Zerodium. Bear in mind, this mitigation only works if the attacker does not have valid credentials for the targeted system. Note: This mitigation is not applicable to Windows Server 2003 and Windows XP hosts as these operating systems do not support Network Level Authentication.
While organizations race to patch systems or otherwise mitigate this vulnerability, there is no substitute for a mature cybersecurity program. We work with clients to strengthen their cybersecurity programs in ways that inherently reduce their exposure to vulnerabilities like CVE-2019-0708. Some of these efforts include:
Critical infrastructure risk assessments
Often we encounter clients whose PCNs have not been standardized or matured to the same level as the internal organization network. Whether reviewing a spaghetti of networks cobbled together over time or simply trying to harmonize efforts across IT and OT, we perform critical infrastructure risk assessments based on NIST CSF and 800-30 frameworks that directly tie security vulnerabilities and misconfigurations to business risks. With this unique perspective, our consultants are then able to provide both tactical and strategic recommendations to align organization priorities with the tactical risks unique to PCNs. These assessments include a review of PCN architecture. A description of our network architecture review methodology follows.
Network architecture and segmentation reviews
As a part of network architecture reviews, we assess network and domain segmentation efforts that may reduce the success of cybersecurity incidents, including ransomware infections such as WannaCry. We review network diagrams, data flow diagrams and network device configurations, and conduct interviews with relevant personnel to determine what systems and services are accessible from various positions, both internal and external to the organization network. We then provide recommendations to establish or enhance security zones based on the criticality of in-scope systems for associated business processes.
Vulnerability management program
A vulnerability management program (VMP) proactively identifies unexpected changes and vulnerabilities within an environment, which will ensure that security testing is performed on a regular and continual basis. This is not a one-time assessment, but an ongoing, overall process. Implementing a VMP is a valuable step in improving company’s overall security posture.
Asset management program
A good asset management process is the foundation of any security program. If companies do not understand their IT assets, their cybersecurity posture will most likely be focused in containing and responding to incidents without fully being able to monitor or protect their environment. An asset management program will allow companies to track, document, classify and secure resources in the environment.
UPDATE: While a number of invalid exploits have been published for CVE-2019-0708, RSM threat team has identified credible claims of available exploits for this vulnerability. Based upon information identified by RSM threat analysts, we believe that widespread exploitation of this vulnerability may begin immediately. This increases the importance of patching this vulnerability and, specifically, for mitigating the vulnerability on Internet-exposed systems.
3. How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business