Wormable BlueKeep Bug Still Threatens Legions of Windows Systems

bluekeep windows systems exposed

Two months after the alarm sounded warning of a WannaCry-level event, progress in patching exposed Windows systems varies by country and industry.

For the past two months, security researchers have been sounding the alarm about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a “mega-worm” global infection. As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a status update.

Source: BitSight

The number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which remain externally exposed that have been patched. This translates to an average decrease of 5,224 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.

The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.

The concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.

BitSight’s analysis shows a mixed report card on how well organizations have closed that security hole, with a variable amount of progress made within each industry.

BitSight found that the most responsive industries in mitigating BlueKeep have been legal, nonprofit/NGO and aerospace/defense with a 32.9 percent, 27.1 percent and 24.1 percent respective reduction in the number of organizations affected.

Conversely, the consumer goods, utilities and (ironically) technology industries have been the least responsive, with only 5.3 percent, 9.5 percent and 11.7 percent of organizations respectively having taken an.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT.

In terms of geography, China and the United States still have the highest number exposed systems.

Yet, China showed the highest absolute improvement by reducing the number of exposed vulnerable systems by 109,670, which represents a 23.9 percent decrease. The United States followed suit by showing 26,787 fewer vulnerable systems exposed as of July 2, representing a 20.3 percent decrease.

Click to enlarge. Source: BitSight.

Other countries showing a notable reduction in exposed systems were Colombia (21.3 percent decrease), Latvia (20.7 percent decrease) and Guatemala (a 45.4 percent decrease).

On the flip side, South Korea actually showed an 14.5 percent increase in the time period of 3,430 vulnerable exposed systems, and Estonia with 146, a 32.2 percent increase.

Fausto Oliveira, principal security architect at Acceptto, told Threatpost that patching is easier said than done.

“Some companies have very rigid change-management intervals due to regulatory constraints, others have very rigid internal change-management procedures – and finally, because there are RDP servers (unfortunately) inside the organization that fall outside of the remit of corporate IT,” he said via email. “The fact that these are older machines are no longer supported by Microsoft could be a factor in the slow patching, especially in legacy systems that have poor documentation, and/or sometimes are outside of the supervision of corporate IT. There are some false misconceptions on the market, like if the OS is going end-of-life, let’s not spend money on it until we replace it, which sometimes could be years away.”

In June, a working exploit for the flaw showed how an unauthenticated attacker could achieve full run of a victim machine in about 22 seconds. Reverse engineer Zǝɹosum0x0 released a video showing an RCE exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials.

An earlier proof-of-concept (PoC) from McAfee showed a successful RCE exploit, but didn’t include the credential-harvesting – so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.

“The exploit is quite significant given the number of affected systems, which gives an attacker the ability not only of hijacking these machines, but to use them to further penetrate other systems and services inside the organization,” Oliveira said. “The type of risks that organizations are facing are wide, just to name a few: once the exploit is in place the attacker can exflitrate data from the RDP server, obtain credentials, disrupt the operations of the organization or use the RDP server as a jumping point to access further resources inside the company.”

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

Suggested articles