The Second Coming of WannaCry?

Jack Niednagel and Michael Salihoglu
| 8/29/2019
Pay now or pay later

In mid-May 2019, Microsoft issued an urgent warning to immediately patch Microsoft Windows™ Remote Desktop Services platform, often referred to as Remote Desktop Protocol (RDS/RDP). This warning concerns a critical vulnerability, CVE-2019-0708, also known as BlueKeep. A follow-up statement asserts:

Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.

As of August 2019, more than 70,000 hosts remain vulnerable to BlueKeep in the United States alone, according to Shodan. That number is astonishing, even when compared to the nearly 2,500 U.S. hosts that are still vulnerable to WannaCry (also known as EternalBlue) malware. Worldwide, the number of vulnerable hosts is unimaginable – nearly one million machines. It appears we are slow to learn from the mistakes of the past, and if we do not address this vulnerability with urgency, we will have another ransomware epidemic on our hands.

Why is BlueKeep so dangerous?

The BlueKeep vulnerability allows any machine that can access other machines over RDS/RDP to execute arbitrary code as the system user without any authentication. The system user’s privilege is equal to that of the administrator, effectively meaning that any machine that can be accessed over an unpatched version of RDP can be totally compromised with little effort on the attacker’s part.

As the aftershocks of WannaCry ransomware remind us, the greatest risk that BlueKeep poses is a WannaCry-like malware worm. It opens up the possibility for automated propagation of malware because it enables privileged remote code execution without the need for access credentials. The potential impact of BlueKeep extends beyond the more than one million unpatched machines with RDP currently exposed to the internet. When the number of machines that use RDP to communicate internally within a local network is considered, the attack surface increases dramatically. Even if RDP is not exposed to the internet, an internal computer that has been infected with a BlueKeep malware worm via email or on a home network could infect other machines locally if left unpatched – leaving the network in the hands of the sadistic future architects of such a worm.

Who is vulnerable?

Any organization using machines running the Windows 7 (Server 2008 R2) operating system or older with an unpatched version of RDP exposed to the internet or local resources is vulnerable to BlueKeep. Additionally, reports are emerging of similar malware dubbed “DejaBlue” for more recent systems up to Windows 10, which means all Windows systems could be exposed. Those machines that are accessible from the internet are especially susceptible, as they are essentially waiting for a bored or malicious attacker to identify and exploit them.

A deeper exploration

RDP uses virtual channels before authentication to establish connection between client and endpoint. These virtual channels are either static virtual channels (SVC), which are bound to 31 separate data pipes, or dynamic virtual channels (DVC) to communicate. The patch released by Microsoft that removes BlueKeep fixes a bug related to SVC “MS_T120.” If this SVC is bound to a channel other than 31, a heap memory corruption occurs in termdd.sys and enables remote code execution.

In the wild

Currently, several independent security researchers have posted proofs of concept that demonstrate the vulnerability to BlueKeep. Clearly, heavy resources are not required to reverse engineer, weaponize, and generate malware that uses this exploit. By now, criminal hackers likely have access to malware that uses BlueKeep. The security researcher Sean Dillon (also known as “zerosum0x0”) developed a Metasploit module for this vulnerability. However, in terms of exploits for now, only a branch that allows a denial-of-service condition via a blue screen is publicly available.

How to protect against an attack

  • First and most critically, update Windows machines to the latest version immediately. Patches for this vulnerability exist for versions of Windows as early as Windows XP and Server 2003. Updates are available via Windows Update or the Microsoft Update Catalog.

  • Make an effort to avoid directly exposing all remote access protocols including RDP to the internet. Best practice recommends using a virtual private network (VPN) for remote access and then, from the VPN segment, connecting via RDP to remote resources as necessary.

  • Review network and host-based firewall solutions to verify that the principle of least privilege is being used. Only resources with a legitimate purpose to connect over RDP should be able to send RDP traffic.

  • Maintain offline (or air-gapped) backups of known good configurations and of business-critical data to aid in incident response in the event of a ransomware worm.

  • Include BlueKeep in the scope of vulnerability assessment procedures and intrusion detection and security event identification processes to respond preemptively to this threat and potential exploit attempts.

  • Enable network level authentication (NLA), which can partially mitigate risk of this vulnerability, as it requires that an attacker have network credentials to attempt to use RDP and perform the attack. Currently, vulnerabilities exist for bypassing authentication via NLA, so this partially mitigating control is certainly not a catchall.

Several tools are available to check for the presence of BlueKeep, including a Metasploit scanning module. Additional assorted scripts can be found on GitHub. However, anyone should proceed with extreme caution when executing foreign code and should do so only after a thorough code review.

With these steps in mind, administrators can make the proper preparations in anticipation of the next global ransomware worm event. Hopefully, those bearing the scars of WannaCry will not need to be told twice. In this case, there will be no smugness or pleasure in saying, “I told you so.”

Microsoft, Microsoft Dynamics, and Microsoft Dynamics 365 are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.