What is Bluekeep, and why is it dangerous?
For the past few weeks, security professionals have been getting louder and louder about the latest security threat facing Windows users. A recently patched Windows vulnerability called Bluekeep (CVE-2019-0708) has the potential to trigger attacks not seen since the WannaCry worm, a vulnerability that was thought to have cost roughly $4 billion worldwide.
More people are taking this seriously now though since a researcher at security firm RiskSense released a video demonstration as evidence to prove its warnings are the real deal. Their step-by-step video not only shows that the threat is real but shows just how damaging it could be as they quickly gained access to machines with full systems privileges and cryptographic hashes of passwords belonging to other computers on the same network.
Bluekeep can infect unpatched Windows computers over remote desktop services. Systems from Windows 2008 R2 and back are particularly vulnerable and make up almost 1 million computers worldwide according to recent reports – worrying security experts worldwide:
Last Friday, members of the Microsoft Security Response Team practically begged organizations that hadn’t patched vulnerable machines to do so without delay, lest another WannaCry scenario plays out. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” MSRC members wrote. In a rare move, officials with the National Security Agency on Tuesday echoed Microsoft’s warning.Arstechnica.com – Warnings of world-wide worm attacks are the real deal, new exploit shows
So why aren’t organisations protecting themselves?
In the case of WannaCry, systems were left unprotected months after patches were released, even after significant news coverage and threat warnings were issued – and we don’t think any organisation’s responses to this threat will be any different from last time.
There are many reasons why organisations may leave their vulnerable computers and systems unpatched. In many cases, older versions of Windows continue to be used for tasks that are required around the clock or in mission-critical environments where downtime is either expensive or impossible (like in manufacturing or medical environments).
How can you protect against Bluekeep?
You are at risk If you are running unpatched versions of Windows 2003 and XP, Bluekeep also affects Windows 7, Windows Server 2008 R2, and Windows Server 2008 – but later versions of Windows are unaffected as the vulnerability does not exist in these systems.
But what if you can’t patch your systems as we’ve mentioned? Or you can’t patch them as fast as you’d like?
How Support Revolution customers are already protected
If our customers are signed up to our security service, then they are already protected by Trend Deep Security, a security solution that acts as a fence that sits around your systems to defend against these types of weaknesses.
Deep Security is comprised of a security management component and a very small footprint agent which sits on each server (or in your cloud solution). The manager holds a database of vulnerability signatures which it communicates to each agent. The agent monitors traffic on the network level and scans for known vulnerability signatures, and either reports the incident or blocks the traffic.
As Deep Security is a rule-based system, new rules are published regularly, downloaded to a console with a “threat level”, and the customer then chooses which updates to apply and when. The deployment of new rules has minimum impact on the production systems, which means the time between identifying a vulnerability to being protected is reduced from months to hours.
Trend Deep Security has already released a rule update (1009749, released on May 16, 2019) which enables detection and protection against attackers attempting to use this exploit, and this has already been deployed onto the systems we manage.
This means that all of our customers are already protected against this exploit and don’t need to spend time patching their systems manually (note that we still recommend that our customers apply the patch directly to their systems, but with Trend Deep Security, they are not at risk while they wait to do so).
Learn more about how we protect our customers
As we’ve mentioned, our customers are already protected against this vulnerability because of our modern patching and security methods. You can learn more about how we protect our customers by reading our white paper on the subject: