Patch now against wormable 'BlueKeep' remote desktop flaw: ACSC

The Australian Cyber Security Centre is strongly urging Windows users to apply security patches for the recently discovered remote desktop services vulnerability that is open to mass exploitation with no user interaction at all.

Microsoft warned last month that the criticial vulnerability, dubbed BlueKeep, could lead to large-scale attacks like the WannaCry ransomware epidemic in 2017 that crippled hundreds of thousands of computers around the world. 

Car makers, telcos and Britain's National Health Service were hit by WannaCry, and suffered losses worth hundreds of million dollars.

BlueKeep allows full compromise of Windows via Remote Desktop Services.

Windows XP, Server 2003, 7, 2008 and 2008 R2 are vulnerable, and Microsoft has provided patches for them, including the two first operating systems that are long out of support.

Erratasec security researcher Robert Graham has scanned the public internet, and found that of the 3.5 million computers that respond to Remote Desktop Protocol requests, almost a million are certainly vulnerable to Bluekeep.

However, many more computers with RDP services that are not directly accessible via the public internet could be unpatched and vulnerable, Graham says.

Graham expects hackers to assemble a robust exploit for BlueKeep within the next month or two.

ACSC said criminals are sweeping the internet looking for vulnerable, outdated systems that are easily penetrable and advised users to block all access to RDP from the internet.

If internet access to RDP services is needed, a virtual private network with multi-factor authentication should be used, ACSC advised.

To limit lateral threat traversal, users should limit internal network machine-to-machine RDP access.

This can be done through appropriately segmented internal networks, disallowing workstations from arbitrarily connecting to servers and other computers with RDP.

RDP should also be limited to servers. If connections to other servers are needed, a jump box should considered for that, ACSC said.

Adding network level authentication makes it more difficult to exploit the BlueKeep vulnerability as well.