Bluekeep Vulnerability Detect and Respond with Skybox Security

Security Advisory Updated May 22, 2019

BLUEKEEP VULNERABILITY DETECT AND RESPOND WITH SKYBOX SECURITY

On May 14, Microsoft publicly disclosed details of BlueKeep Details a recently discovered remote code execution vulnerability (CVE-2019-0708) dubbed “BlueKeep” BlueKeep can affect Windows 7, Windows that exploits the Windows Remote Desktop Server 2008, Windows Server 2008 R2, Service. Windows XP and Windows Server 2003; newer Windows versions are not affected. Patches for Vulnerable assets that are directly accessible specific, commonly used variants of affected from the internet are likely exposed to platforms can be sourced directly from direct attack. Microsoft.

Many of these older Microsoft platforms are still in service, particularly within operational technology (OT) environments — critical infra- BlueKeep is a critical remote structure entities and manufacturers should code execution vulnerability. particularly heed warnings about this vulnera- Owing to the potential impact of bility’s criticality. BlueKeep, Microsoft has released BlueKeep is pre-authentication and does not security updates for multiple require any user action to enable. This makes platforms — including some no BlueKeep “wormable” in that it opens the possibility of fast propagation from vulnerable longer in mainstream support — platform to vulnerable platform. This is a major to prevent this “wormable” vul- factor of the vulnerability’s critical status. nerability from being leveraged in The BlueKeep vulnerability is found in the a WannaCry–style attack. implementation of Remote Desktop Services in affected systems. An attacker connecting to a vulnerable system using RDP (typically TCP/ UDP 3389) can issue specially crafted requests to make use of the vulnerability.

Total visibility. Focused Protection.™ BlueKeep | Security Advisory

Has BlueKeep Been Exploited?

Beginning on May 17, 2019, multiple proof-of-con- cept (POC) exploits have been published, though neither distributed nor targeted attacks leverag- ing BlueKeep have been reported — yet.

With the POCs available, commercially viable WannaCry Flashbacks exploits can’t be far behind. As such is the case, Due to its similarity to the vulnerabilities used in widespread attacks are both likely and imminent. the WannaCry ransomware attack, organizations should appropriately prioritize the remediation of BlueKeep particularly for any platforms that are directly accessible to traffic from the internet. POC TO EXPLOITED IN THE WILD The wormable potential of the vulnerability is likely what spurred Microsoft to release patches It’s important to remember that POC for their out-of-support platforms. The last time exploits can very quickly turn into exploits Microsoft did this, was to address the server in the wild. Due to the potential havoc message block (SMB) vulnerabilities used BlueKeep could wreak, the race is on for for WannaCry. cybercriminals to put an exploit in play. The WannaCry global ransomware outbreak Currently, Skybox notes BlueKeep as “exploit happened just two years ago on May 12, 2017. For available.” The analyst–backed Skybox® organizations who didn’t learn their lesson the Vulnerability Dictionary will be updated if first time, BlueKeep may soon give them a not– an exploit is observed in the wild to escalate so–gentle reminder of the need for good cyber the vulnerability’s threat level and put its hygiene. remediation at a higher priority.

But Skybox strongly urges all affected users not to wait to remediate BlueKeep, espe- cially where vulnerable assets are exposed to DON’T ASSUME POLICIES the internet. When and if an exploit occurs in ARE REALITY the wild, it will spread rapidly as seen with WannaCry. Traveling back in time to May 2017, if organizations were assessing their security posture solely by what was designed in policy, they would have believed themselves immune to the WannaCry attack. Some organizations that got hit with the ransomware believed that Windows networking services (ports 445/139) in their data centers weren’t accessible from the internet, as their policies had stated. But for many, the painful realization that network devices were out of compliance occurred only after the outbreak had taken hold of their environments.

Continuously checking for policy compliance and automating the process to remediate violations is both a best practice and a cor- nerstone the Skybox® Security Suite.

2 BlueKeep | Security Advisory

How Skybox Can Help

Passive Vulnerability Assessment Reachability of Vulnerable Assets

Skybox can help by identifying platforms that To determine the exposure of assets, the Access have the BlueKeep vulnerability through their Analyzer feature of Skybox® Network Assurance Microsoft System Center Configuration Manager can test to see if RDP ports are accessible from (SCCM) patch management system (or an equiv- the internet. Skybox’s analytic logic considers alent patch management system) even without a mitigating security controls such as firewall- recent vulnerability scan. ing and intrusion prevention systems (IPS) to determine which assets are exposed and which Exposure Analysis of Vulnerability Scan Results are shielded from potential attack.

For BlueKeep occurrences discovered by third- This capability is important to counteract party scanners, Skybox can bring valuable assumptions of perfectly implemented policy, as network context prioritize the remediation of was the case with SMB ports during WannaCry exposed vulnerabilities. as mentioned previously. By automating access analysis, customers can check that the aggregate Our attack simulations analyze network paths access of the network is in compliance or to highlight vulnerable assets exposed to spot violations and efficiently manage potential threat origins, including the internet. their remediation. The exposure factor is considered alongside the relative importance of the vulnerable asset (or Patch Availability and Network the system to which it belongs) to make remedi- Mitigation Options ation priorities straightforward and focused on fast risk reduction. Customers should apply the relevant Microsoft patches immediately; if patches can’t be imple- While remediation of vulnerable assets directly mented straight away, Skybox will also suggest exposed to threat origins receive the highest possible mitigation strategies, often unique to priority, Skybox also calculates the potential for each environment to protect vulnerable assets compromise through lateral network movement, with other available technologies or methods. as in multi-stage attacks. Indirect exposures are also reflected in remediation priorities.

About Skybox Security

Skybox provides the industry’s broadest cybersecurity management platform to address security challenges within large, complex networks. By integrating with 130 networking and security technologies, the Skybox® Security Suite gives comprehensive attack surface visibility and the context needed for informed action. Our analytics, automation and intelligence improve the efficiency and performance of security operations in vulnerability and threat management and firewall and security policy management for the world’s largest organizations. www.skyboxsecurity.com | [email protected] | +1 408 441 8060

Copyright © 2018 Skybox Security, Inc. All rights reserved. Skybox is a trademark of Skybox Security, Inc. All other registered or unregistered trademarks are t9e sole property of their respective owners. 05222019