NSA Sounds the Alarm on BlueKeep
July 29, 2019 Update: With over 800,000 Windows systems still unpatched and vulnerable (as of July 2), concern over BlueKeep remains high, especially after a detailed guide on how to write an exploit was posted online last week. Other indications that the vulnerability is not going unnoticed include publication of an exploit and discovery of malware that scans for vulnerable computers. Update your affected systems and verify your recovery capabilities now!
Windows vulnerability opens the door for the next WannaCry
It’s been just over two years since WannaCry, the ransomware that exploited the EternalBlue vulnerability to infect hundreds of thousands of computers around the world and inflict an estimated $8B in damages.
If history repeats itself, we’re in for another assault in the next 30 days.
On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability (CVE-2019-0708) – a bug now known as BlueKeep – and urged customers to update all affected systems as soon as possible.
Last week, the U.S. National Security Agency (NSA) issued its own cybersecurity advisory reiterating the need to take action.
WannaCry attacks began 59 days after Microsoft released fixes for EternalBlue. Applying a similar lead time to BlueKeep means we could start seeing attacks sometime in July – just in time to spoil our summer holidays. Of course, the lead time could be less… or more.
Are we prepared?
The question isn’t just about whether we’ve updated affected systems: timely patching is extremely important, but it’s not enough. Preparation also requires having a hardened recovery process in place for those times when – despite our best efforts or because of newly discovered vulnerabilities – attackers get in.
Whether or not you’re affected by BlueKeep, it’s a good time to review your recovery process. Some things to consider:
- Can we access our backups. Attackers aren’t just going after our production applications and data, they’re also going after our backups or, collaterally, systems that host backups. Be sure to store backups (or backup copies) where ransomware and wiper attacks can’t reach them.
- What to do if backups are infected. Many backups include executable files, boot files, and other operating system files where rootkits and other malware can hide. Restoring systems from these backups also restores malware present when the backup was taken. This argues for having a way to recover systems that doesn’t rely on bringing back the original operating system.
- Can we meet recovery time objectives (RTOs) for critical applications. Identify your critical business processes and the applications required to support them. Map the infrastructure those applications depend on and be sure to include the recovery time for that infrastructure. For example, Active Directory is one of the first services you should cover since most applications depend on it.
It’s also a great time to talk with management about cyber resilience: this latest security vulnerability provides real-world context for the discussion. Reach out to management proactively and advise them of the issue, your exposure, and what’s missing in your recovery plan.
No doubt that more will be written if (when) attacks that exploit BlueKeep start.