Special Feature
Part of a ZDNet Special Feature: Cyberwar and the Future of Cybersecurity

Homeland Security: We've tested Windows BlueKeep attack and it works so patch now

DHS cybersecurity agency warns US businesses to apply Microsoft's BlueKeep patch for wormable flaw.

A single actor is scanning Windows systems vulnerable to the BlueKeep flaw A threat actor hidden behind Tor nodes is scanning for Windows systems vulnerable to BlueKeep flaw. Read more: https://zd.net/2JWjK73

The Department of Homeland Security's (DHS) cybercrime emergency response team is warning Windows admins to patch the wormable BlueKeep flaw, after confirming it can be used to remotely execute code on vulnerable PCs. 

The US government's Cybersecurity and Infrastructure Security Agency (CISA) has raised the official alert over a potentially devastating flaw that affects the Remote Desktop Protocol (RDP) service in multiple versions of Windows, from Windows 2000 to Windows 2008. 

Microsoft considered CVE-2019-0708, now known as BlueKeep, so severe that it even released a patch for unsupported Windows XP – a measure it hadn't taken since WannaCry wreaked havoc across the globe in mid-2017.  

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The bug was reported to Microsoft ahead of its May Patch Tuesday update by the UK's National Cyber Security Centre, the organization under UK spy agency GCHQ tasked with improving the nation's cybersecurity defenses in the public and private sector. 

Microsoft released patches for XP because it believed BlueKeep's worm capabilities – the ability to automatically spread from one vulnerable machine to another – could be exploited in an attack on the same global scale as WannaCry, whose worm capabilities were enabled by EternalBlue, the leaked NSA exploit for the SMBv1 file-sharing protocol. 

The NSA is also worried about BlueKeep. Earlier this month it urged admins to patch the flaw and change configurations to prevent potential attacks. Its warning followed research that found that at least one million Windows computers were still vulnerable to BlueKeep. The NSA said it was "likely only a matter of time" before attacks emerged. 

Currently there's no publicly available exploit code for BlueKeep. However, several organizations claim to have developed exploits for it, including Zerodium, McAfee, Kaspersky, Check Point, MalwareTech, and Valthek.  

CISA on Monday confirmed it has successfully exploited BlueKeep on a Windows 2000 PC. The agency has not tested other affected versions of Windows. 

"CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems," it said. 

However, CISA has since stepped back from that claim and replaced its original statement with: "CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep."

Nonetheless, its advice, like the NSA's and Microsoft's, remains the same: apply Microsoft's May fixes for the RDP BlueKeep bug. Similarly, it recommends enabling Network Level Authentication (NLA), which would shield organizations from any forthcoming BlueKeep attacks. And it suggests blocking TCP port 3389, which is used to start an RDP session. 

Should a public BlueKeep exploit emerge or nation-state hackers develop one privately and decide to use it, the potential impact could be very different to WannaCry. 

That malware heavily damaged organizations in Europe, most notably the UK's National Health Service (NHS), which faced a $125m WannaCry bill, was forced to cancel 19,000 appointments, and then spent £500,000 on contractors to restore data in the wake of the attack. 

Additionally, thanks to suspected Russian state-backed hacking group, ShadowBrokers, public exploit code was available just a month after Microsoft's patch.

SEE: 10 tips for new cybersecurity pros (free PDF)

Security firm BitSight ran an internet scan in mid-June for systems vulnerable to BlueKeep. It too found about a million vulnerable machines, but the exposure to BlueKeep is greatest in China, where less than 50 percent of machines have been patched. 

China by far has the most machines in the world that are vulnerable to BlueKeep, amounting to about a third of the million vulnerable machines. It is followed by the US, but more than 75 percent of US machines have been patched. 

It seems Europe has learned its lessons from WannaCry and the subsequent EternalBlue-powered NotPetya outbreak. The UK, Netherlands, Germany, France, have all patched over 75 percent of systems with exposed RDP hosts. 

Countries in the same bracket as China, with less than 50 percent of machines patched, include South Korea and Hong Kong, while the patch rate in Russia, India, Brazil, and Italy sits between 50 percent and 75 percent. 

More on Microsoft, Windows and BlueKeep