Nearly One Million Still Vulnerable to "Wormable" BlueKeep RDP Flaw (May 28, 2019)
Two weeks after Microsoft released a security patch for a wormable, remote code execution vulnerability, registered as “CVE-2019-0708,” nearly one million systems are still unpatched. The vulnerability, named “BlueKeep”, could allow for a remote attacker to gain access to a target computer by sending requests to the Remote Desktop Service via the Remote Desktop Protocol, with the potential for an attack similar to the global ransomware campaigns, WannaCry and NotPetya. During Microsoft’s May 2019 Patch Tuesday, a patch was released to address the vulnerability, however a scan performed by Robert Graham revealed almost one million systems have not deployed the patch.
Recommendation: It is critical the latest security patches be applied as soon as possible to all machines running Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions. In addition, RDP services should be disabled if not required, block port 3389 with a firewall or limit access to a private VPN only. Enabling Network Level Authentication is a partial mitigation in preventing an attacker from exploiting the flaw.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.