One Million Devices Open to Wormable Microsoft BlueKeep Flaw

Researchers have discovered one million devices that are vulnerable to a “wormable” Microsoft flaw, which could open the door to a WannaCry-like cyberattack.

One million devices are still vulnerable to BlueKeep, a critical Microsoft bug with “wormable” capabilities, almost two weeks after a patch was released.

The flaw (CVE-2019-0708) was fixed during Microsoft’s May Patch Tuesday Security Bulletin earlier this month. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propogating attack on the scale of WannaCry.

Despite that, researchers on Tuesday warned that one million devices linked to the public internet are still vulnerable to the bug. Making matters worse, a spike in scans for vulnerable systems was spotted over the weekend – potentially indicating that bad actors are looking to sniff out the activity.

“That means when the worm hits, it’ll likely compromise those million devices,” said Robert Graham, researcher with Errata Security in a Tuesday analysis. “This will likely lead to an event as damaging as WannaCry and notPetya from 2017 – potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.”

The critical remote code-execution flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008 (Microsoft deployed patches to Windows XP and Windows 2003 for the bug during Patch Tuesday, neither of which is still supported via monthly Patch Tuesday updates).

“BlueKeep” has worried the infosec community because researchers describe it as a “wormable” flaw, similar to the EternalBlue exploit that was used by a rapidly-moving malware attacks in 2017 like WannaCry or NotPetya.

“This [bug] would have the potential of a global WannaCry-level event,” said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday. “What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.”

While Microsoft urged administrators to update impacted Windows systems as soon as possible, researchers said as recently as Tuesday that one million devices remain vulnerable to BlueKeep.

Errata Security’s Graham conducted a scan using his Masscan Internet-scale port scanner (which searches for open ports) to look for the port (3389) used by Remote Desktop. This pinpointed all open ports – from there, in order to discover whether or not they were vulnerable, Graham used a Remote Desktop Protocol scanning project developed by the Shadowserver Foundation. From there, he found that almost one million devices both reliably talk to the Remote Desktop protocol and are vulnerable to BlueKeep.

“The upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug,” said Graham. “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”

In the meantime, vendors are coming out with their own advisories for vulnerable devices.

Several impacted devices include Siemens devices used in the medical space – including radiation oncology products, laboratory diagnostics products, Radiography and Mobile X-ray products and point of care diagnostics products.

“Some of these Siemens Healthineers products are affected by this vulnerability,” said Siemens in an advisory. “Depending on the target system and intent of the attacker, a successful exploit could result in data corruption and potential harm for patients and/or the environment.”

Siemens medical products, under its “Healthineers” line, were also hit by the WannaCry ransomware in 2017. Seimens said it has scheduled some patches for these products in June, but for the most part suggested that end users disabled Remote Desktop Protocol.

Threat actors are also actively sniffing out vulnerable devices. Researchers with GreyNoise over the weekend said that they are “observing sweeping tests for systems vulnerable to the RDP ‘BlueKeep’ (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.”

The activity is likely being executed by a single actor, they said.

“The reason we think it’s one actor is because all connections that we’re seeing are originating from Tor, and all of them are using the same scanner code, which we’ve developed a fingerprint for,” Andrew Morris, with GreyNoise, told Threatpost. “We don’t necessarily know that the actor is malicious. This is simply based on the fact that they are coming out of Tor nodes exclusively and not coming from a known-legitimate mass scanner service like Shodan.”

Researchers for their part said that there are several steps that end users can take to protect themselves, but the  very first is “to apply Microsoft’s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers,” said Graham.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.