If you don’t stay up to speed with information security, this week’s been a big one. Older versions of Microsoft Windows have a serious flaw in the RDP stack.
Remote Desktop Protocol is used to remotely connect to computers, something IT professionals do routinely, but attackers exploiting an exploit known as BlueKeep or CVE-2019-97-08 can compromise networks.
Australia’s Cyber Security Center has advised Australian businesses to immediately patch their systems. This exploit is so bad that Microsoft took the extraordinary step of patching the out of support operating systems, Windows 2003 and Windows XP.
This exploit can be weaponised in the form of a worm, so it important that all your servers are patched, because if it gets in, its likely to spread, fast.
Every few years there is a software vulnerability that has the potential for significant, widespread harm around the world.
Almost two years to the day on 14 May 2017, there was WannaCry – a form of ransomware that exploited a critical vulnerability in Microsoft operating systems.
The WannaCry virus spread rapidly across the world, disrupting the National Health Service in the United Kingdom and crippling automotive and telecommunications companies in Europe.
Impacts to the global economy may never be fully understood, but estimates suggest hundreds of millions of dollars in lost revenue and repair bills.
Today the BlueKeep vulnerability is readily available to cyber criminals who seek to exploit vulnerable systems en masse. These criminal groups are not necessarily targeting unsuspecting users; they’re simply sweeping the landscape for vulnerable, outdated systems that are easily penetrable.
A Remote Desktop Protocol (RDP) service left unpatched is likely exposed and potentially exploitable, with BlueKeep applying to both external and internal facing RDP, enabling actors to move laterally across a network.
Criminal groups can also utilise this vulnerability to conduct denial of services attacks on unprotected systems.
How to Protect your systems
Microsoft’s advisory provides fixes for vulnerable in-support systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008 and out-of-support systems including Windows 2003 and Window XP.
The Australian Cyber Security Centre advises Windows users to:
Deny access to Remote Desktop Protocols (RDP) directly from the internet
- Block all access to RDP, and
- Utilise a VPN with multifactor authentication, if internet-based access to RDP is required
Limit internal network machine to machine RDP
- Apply appropriate internal network segmentation,
- Deny standard workstations to arbitrarily connect to servers or other workstations over RDP (or any other unnecessary protocol), and
- Limit RDP to servers; consider using a jump box to connect to other servers.
Consider adding “Network Level Authentication” which adds a pre-exploitation hurdle. To do this, your probably going to use Group Policy, the object you’re looking for is Computer Configuration\Administrative Templates\WindowsComponents\Remote Desktop Services\Remote Desktop Session Host\Security and the setting you need to enable is “Require user authentication for remote connections by using Network Level Authentication”.
If you’re thinking of leaving your patching till next month, don’t. This is basically as bad as it can get in terms of security. Below is a demonstration of what’s possible, showing that credentials can be exposed.
For more information on Microsoft’s Configuration of Network Level Authentication for Remote Desktop Services Connections, see here.
More information at cyber.com.au