Researchers say that nearly 1 million devices running older versions of Microsoft Windows remain vulnerable to a recently discovered flaw ‘BlueKeep‘, in Microsoft’s Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over unpatched machines. Microsoft’s flaw could also open the door to a WannaCry-like cyber attack.
This vulnerability is designated as CVE-2019-0708 and named BlueKeep, can be exploited by miscreants to execute malicious codes and install malware on vulnerable machines without the requirement for any user authentication: a hacker just has to be able to reach the box across the internet or network in order to commandeer it.
Since nearly 1 million devices a still vulnerable, “That means when the worm hits, it’ll likely compromise those million devices,” said Robert Graham, a researcher with Errata Security in a Tuesday analysis. He further added, “This will likely lead to an event as damaging as WannaCry and notPetya from 2017 – potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.”
Nearly, two weeks ago, Microsoft released security patches for systems going back to Windows XP to kill off this bug, and everyone is urged to install them.
However, “The upshot is that these tests confirm that roughly 950,000 machines are on the public internet that are vulnerable to this bug,” Graham said. “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”
“You may have only one old WinXP machine that’s vulnerable, that you don’t care if it gets infected with ransomware. But that machine may have a Domain Admin logged in, so that when the worm breaks in, it grabs those credentials and uses them to log onto the Domain Controller,” Graham writes. “Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln.”
Microsoft has also said that administrators can switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems to effectively block attacks.