In May this year my colleague Karl wrote a blog highlighting a new risk to customers still running legacy operating systems when a vulnerability CVE-2019-0708 aka ‘BlueKeep’ was disclosed by Microsoft.
Like many organisations, we have been tracking BlueKeep with interest. There are reports this month (November 2019) that this vulnerability is now being weaponised by adversaries; who are leveraging access to compromised systems to install cryptocurrency mining malware.
At this time, there has been no evidence to suggest that the exploitation is due to the emergence of a new worm, and it is likely being done as part of a mass exploitation campaign, similar to what we have seen in previous instances of mass exploitation campaigns.
BlueKeep was first disclosed to Microsoft by the UK National Cyber Security Centre (NCSC), a responsible action by all accounts.
Microsoft then announced that they would provide a patch for this flaw across unsupported operating systems, the last time this responsible action had previously been taken was back in 2017 for CVE-2017-0144 aka ‘EternalBlue’. The origin of EternalBlue is somewhat subjective as it was designed to be a cyber attack exploit developed by the U.S. National Security Agency (NSA). However, this was leaked by the Shadow Brokers hacker group and was re-purposed to create the outbreak we all know as WannaCry.
Following this latest discovery, the security industry was expecting another mass outbreak like we had seen in May 2017 with EternalBlue, however this time, the flaw was much more complex to deliver and required some pre-requisites to be successfully exploited. Nevertheless, scans of the internet at that time indicated that there were around 920,000 externally facing devices that were vulnerable.
In 2001, human life expectancy in England was 75.9, in 2014 this increased to 79.46. During these 13 years Windows XP was released and then retired. Like our own mortality, we see people living above and beyond these dates, this is also true for legacy software. Industry will be facing another milestone in January 2020 with the retirement of Windows 7 and Server 2008R2 . The legacy gap has just got wider.
Mind The Gap
End of life doesn’t have to mean complete end of support, we have talked about this in a previous blog earlier this year. But industry needs to be mindful of the additional steps that are needed to protect legacy systems until you are ready to undertake a program of change. Change that may be driven for the adoption of more efficient ways of working or additional features that goes over and above these obsolescence or security risks.
In August there was another set of disclosures; CVE-2019-1181 & CVE-2019-1182 aka ‘DeJaBlue’. This time, the vulnerability from the same family as BlueKeep, not only effected legacy systems but also all versions of Windows desktop and server. Now modern operating systems are at risk unless steps are taken to remediate the risk.
These new vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of a continual focus on strengthening the security of their products. Microsoft says "At this time, we have no evidence that these vulnerabilities were known to any third party."
There has been a reduction in the number of vulnerable systems that are publicly facing, these reduced to around 730,000 in September. According to BitSight's analysis of the IP addresses of those vulnerable computers, individual PCs connected to the internet via consumer ISPs remain the most vulnerable, with more than 30% unpatched. But other sectors like education, government, utilities, and tech firms comprise close to 5% of exposed machines.
Industry and consumers are taking corrective action to remediate the risks of BlueKeep and DeJaBlue, however there is still a large number of devices that are at risk. Evidence suggests a small decrease on public networks, however there are no metrics to identify the number of devices that are present on internal networks. It is probable that if external devices are unpatched then the same could be true of internal systems.
What we suggest:
- The best approach is to patch
- In situations where security updates cannot be applied, organisations should leverage Network Level Authentication (NLA) functionality available within Microsoft Windows and limit exposure by restricting access to RDP servers from the internet
- Where network monitoring or protection is deployed, there are SNORT rules that can be deployed which have been created by Cisco Talos, these are SID 50137 for BlueKeep and SID 51369 for DeJaBlue
- Customers who have Claroty CTD can manually import these rules for detection
- Those who have Cisco Firepower or similar edge devices can remediate this vulnerability without making fundamental changes to HMI and Server configurations.
At Solutions PT we take a balanced approach to the management of assets throughout their lifecycle and can assist you in bridging the gap between end of support and end of life.
We monitor and track the ever-evolving cybersecurity threat landscape and align to frameworks such as NIS Directive and OG86. Engaging with both private and government cyber security resources, we keep abreast of threats and have influenced current thinking and best practice guidance across the OT sector.
If you need help with protecting your operations against cyber attacks, get in touch and see how we can help you.