BlueKeep Patching Still Spotty Months After Alerts: ReportFinancial Services Companies Fared Better Than Most, SecurityScorecard Finds
More than two months after Microsoft issued the first warnings about the BlueKeep vulnerability, many enterprises have a spotty record when it comes to patching for this particularly worrisome flaw, new research from SecurityScorecard finds.
In the report, released Friday during the Black Hat security conference in Las Vegas, SecurityScorecard researchers say that the financial services industry has fared better than other sectors when it comes to patching for BlueKeep, but many devices remain vulnerable.
Of the 800,000 vulnerable Windows devices that researchers found around the world, SecurityScorecard calculated that organizations were only patching about 1 percent - about 8,000 - of these systems each day. And this patching activity dropped off precipitously 13 to 15 days after vulnerable devices or open ports that attackers could exploit were found.
In July, Bitsight drew similar conclusions, noting in another report that security teams have been slow to patch this vulnerability despite warnings from Microsoft and government agencies (see: Despite BlueKeep Warnings, Many Organizations Fail to Patch).
So far, no BlueKeep exploit has been spotted in the wild, which may account for some of the slowness to patch. Security researchers have been warning, however, that threat actors could still take advantage of this flaw at some point, says Paul Gagliardi, director of threat intelligence at SecurityScorecard.
"The number of vulnerable machines has barely decreased, and as exploits become more publicly available to less sophisticated users, there will eventually be a fall out of this huge attack surface," Gagliardi tells Information Security Media Group. "Additionally, we are only looking at publicly vulnerable machines. There is most likely significantly more vulnerable machines within networks that could be used for lateral movement within existing or new footholds."
BlueKeep, which is also referred to as CVE-2019-0708, is a significant vulnerability that could enable attackers to compromise the Remote Desktop Services feature found in Windows, which enables access to networked computers through the remote desktop protocol. Attackers who successfully exploit the flaw could gain full, remote access to a system, including the ability to create user accounts. And they could gain full administrator privileges as well the ability to execute code, researchers say (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device).
Because an exploit using BlueKeep requires no authentication, it's considered "wormable," meaning that if it were successfully exploited it could be used by self-replicating malware to spread across infected machines rapidly. This is the same way that ransomware such as WannaCry and NotPetya spread across the world in 2017, security exports have warned.
The vulnerability is found in older versions of Windows, including, Windows XP, Windows 7, Windows 2000, Windows 2003 and Windows Server 2008, according to security researchers.
In addition to two separate warnings from Microsoft - the first on May 14 - the U.S. Department of Homeland Security and the National Security Agency have issued warnings as well (see: DHS Is Latest to Warn of BlueKeep Vulnerability).
Slow to Patch
To get a sense of how many vulnerable Windows devices remain vulnerable, SecurityScorecard scanned the internet looking for open 3389 ports, because these are needed to access Microsoft's Remote Desktop Protocol feature and attackers could use an open port to establish a connection to the network.
Based on that scan, SecurityScorecard estimates there were about 800,000 devices that were possibly vulnerable to BlueKeep, according to the report. When Microsoft first warned of BlueKeep, some security researchers estimated that as many as 1 million devices could be exposed (see: 1 Million Windows Devices 'Vulnerable to Remote Desktop Flaw').
Researchers found the security teams in the financial sector tended to patch the fastest – usually within a day - when they discovered a system was vulnerable, according to SecurityScorecard.
In other industries, including entertainment, manufacturing, construction, education, government and hospitality, researchers noticed that patching could take between five and 13 days, and after that time, there were little or no efforts to patch, according to the research. "The response of a company's security/IT team to BlueKeep was generally slow or non-existent," according to the report.
Among the reasons why financial services firms patched faster and were less exposed, researchers determined, is that these companies use new versions of Windows, which do not contain the vulnerability, which meant they had fewer vulnerable systems to patch.
In addition, many of these firms likely placed port 3389 behind a VPN or firewall, which is the proper security practice, SecurityScorecard notes.
"The financial sector is often the top performer in terms of security hygiene and practice due to their security teams being significantly funded and under stricter regulation," Gagliardi says. "This is often comparable to large defense contractors. While their top performance is commendable it still leaves quite a bit to be desired."
The fact that BlueKeep has not been exploited yet may also be a reason many organizations are slow to patch, according to the report. But that lack of exploits does not mean the danger has passed. And SecurityScorecard notes that while scanning by malicious actors has slowed, there are still indications that they continue to look for open ports and vulnerable devices.
"Part of our premise is that we are dealing with rather low performing security teams since they are already exposing an outdated Windows machine on the public internet with RDP exposed," Gagliardi says.
Some security companies say they have built proof-of-concept attacks using the vulnerability, but they have not revealed the details. The list includes Zerodium, McAfee, Kaspersky, Check Point, MalwareTech and Valthek.
In addition, Sophos has not only developed its own proof-of-concept attack, but it's also showed a full system takeover to demonstrate what a threat actor could do (see: Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep).
Security vendor Cyxtera recently announced that it would include a complete, weaponized exploit for BlueKeep in its Immunity penetration-testing tool. A company spokesperson told ZDNet that it's the first time an exploit has been available, and companies can use it test their systems for weaknesses. The company noted that their exploit is not wormable.