Security Ledger, May 28, 2019, with comments by Satya Gupta;
Microsoft’s worm-friendly Bluekeep flaw affects medical devices and other Internet of Things endpoints, security experts are warning.
‘Bluekeep’ is a zero-day vulnerability that can strike Windows Remote Desktops and threatens medical devices and other endpoints that are connected to the Internet. Internet of Things – IoT – systems are especially vulnerable.
Officially VCE-2019-0708, BlueKeep is similar to EternalBlue
The Bluekeep worm is similar to EternalBlue, the exploit behind WannaCry, the malware that cost companies across the globe billions of dollars. Microsoft issued a patch for EternalBlue in 2017 and the company also issued a patch for Bluekeep last week, along with a warning of the worm’s EternalBlue’s similarities.
Bluekeep’s official CVE record is CVE-2019-0708. According to RiskSense research, the exploit is particularly dangerous because an attackers can take full control of target systems, even remotely, where they can then install programs, delete, modify or steal data, and access full user rights to set up new accounts. No authentication is required for attackers to gain access.
Microsoft warns to get the patch immediately, but many won’t be able to jump on it
Microsoft is strongly advising companies to implement the patch immediately. Experts suspect a million, if not millions, of machines are out there unpatched. The Windows systems that are vulnernable are older systems such as Windows XP, 7 or Windows Server 2008. But despite Microsoft’s warnings to patch, these older systems are often noy updated for a reason. They are more complicated and difficult to patch than usual.
There are always stragglers with any update and security is only as strong as its weakest link. Given the urgency of Microsoft’s response, organizations have to take this seriously and know the status of any device they manage. For individual users, this vulnerability puts any data on that machine at risk.
Can’t Microsoft prevent these flaws?
Microsoft has improved its processes and testing, but software stacks continue to be more complex and connected. Many vulnerabilities exploit problems that weren’t imagined when the software was written. It’s unlikely that Microsoft will ever get to a bug-free state.
This isn’t the first time Microsoft has released a patch for end-of-life systems. Previously, it released patch MS17-010 to prevent the EternalBlue exploit and variants.
BlueKeep worm gives hackers the perfect opportunities
“This type of vulnerability is the most valuable to attackers because it enables remote command and control and privilege escalation,” said Satya Gupta, CTO and Co-founder of security firm Virsec. “If the bad guys can repeatedly access your system, and elevate their admin privileges, they pretty much own the system and can easily access any network assets or data connected to it.”
Healthcare systems particularly vulnerable
Among the millions of machines in use, many organizations are using them for mission-critical processes.
One such company is Siemens Healthineers, which uses these systems to manage sensitive healthcare information. Siemens Healthineers specializes in medical technology, based on Windows.
Siemens vulnerable systems include their Advanced Therapy Products, Siemens Healthineers Software Products, and Laboratory Diagnostic Products. Siemens connects its medical devices connect over the cloud through the Microsoft Azure platform. All organizations with connected devices over the Web – through the IoT — all share the same risk of being hit by malware like BlueKeep. Healthcare organizations especially may be targets because medical information is a desired on the Dark Web and bad actors are only too happy to offer it for sale there. Not only that, the risks of this information being misused can even be life threatening.
Some are questioning they wisdom of such prominent companies using old equipment for critical tasks like this because it places them in such a vulnerable position. To protect these systems and the information on them, they may need to be isolated from the Web.
RiskSense, with Metasploit, has created a vulnerability scan that can help organizations determine if they are exposed without triggering the exploit.
How can you avoid new malware like WannaCry coming based on this flaw?
The obvious advice is to patch systems as soon as possible when there are serious alerts. However, patching is always more difficult and disruptive than most organizations want to admit, and in many cases there are fragile legacy applications running on out-of-date platforms that nobody wants to touch. At the end of the day, companies need software products that protect even vulnerable software from being hijacked.
Read full Microsoft ‘Bluekeep’ Flaw threatens Medical Devices, IoT article.
Newsletter: Latest issue
Video: 2-Minute Virsec Story