The Next ‘WannaCry’ Is Here (But so, too, Is a Patch)

Worm attack

If you don’t want me to infect your Windows OS, install the patch from Microsoft. It really is that easy. I am hungry, though, so maybe you shouldn’t…

Since mid-May, Microsoft has been warning Windows admins of a potentially catastrophic vulnerability: Now known as BlueKeep, this “critical” vulnerability exists within the Remote Desktop Protocol used by older Windows operating systems, including 2000, Vista, XP, 7, Server 2003 (including R2), and Server 2008 (including R2).

As the company explained in a security update guide last month:

The vulnerability occurs “when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Unfortunately, however, this is no where near as bad as it gets. Because BlueKeep is “considered wormable,” reports the US Dept. of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), “malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.”

For those of you who need a refresher, WannaCry was a ransomware worm that exploited the EternalBlue vulnerability affecting (again) older Windows operating systems. In the late spring of 2017, more than 300,000 unpatched computers were infected, resulting in the encryption of each system’s data until a bitcoin ransom could be paid to release it.

Indeed, Microsoft is taking this risk so seriously that it has issued patches for operating systems that have long since had their offical support discontinued (e.g. Vista, XP, Server 2003), a move they haven’t made since WannaCry.

But according to research published just days ago from cybersecurity firm BitSight, affected users have not been getting the message to patch their systems as soon as possible — or, in the case of an End of Life OS, to upgrade to a newer supported system like Windows 10.

Even though patches have been available for nearly a month, BitSight estimates that there are still nearly one million vulnerable systems. And due to the wormability, you can add a whole lot more to this list. As Luis Grangeia, BitSight senior security researcher, explained:

We’re really taking about ” one million potential beachheads into internal networks when attempting to quantify the total systems at risk. Even if there is no other system running Remote Desktop Protocol behind the firewall, after a machine from an Active Directory Domain is compromised, it is usually easy to move laterally and infect other machines in the same domain without leveraging any exploits.”  

With several confirmed proof of concept exploits on the books, “it is now a race against the clock by cyber-criminals,” said Yaniv Balmas, the global head of cyber-research at Check Point, “which makes this vulnerability a ticking cyber-bomb.”

Further reading

The First WannaCry Was Just the Beginning. What’s Next?

A Few Lessons From WannaCry

This UrIoTNews article is syndicated fromDzone