Despite BlueKeep Warnings, Many Organizations Fail to PatchOver 800,000 Windows Devices Remain Vulnerable, Analysts Say
Despite warnings from Microsoft, government agencies and cybersecurity companies, many organizations around the globe have yet to patch older Windows systems against the BlueKeep vulnerability that could let attackers take over devices, cybersecurity ratings firm BitSight warns.
In a Wednesday blog, Bitsight researchers say that as of July 2 - six weeks after news of BlueKeep first broke - about 805,665 Windows devices online remain vulnerable, which represents only a 17 percent drop since May 31.
The BitSight report echoes the slow patching trend that other security firms have seen since May, when Microsoft rolled out a patch for operating systems the software vendor no longer supports, including Windows XP, Windows 7, Windows Server 2000, Windows Server 2003 and Windows Server 2008.
In late May, Robert Graham, head of offensive security research firm Errata Security, noted that about 950,000 systems on the internet were vulnerable, and days later, BitSight found 972,829 vulnerable Windows systems. This was despite alerts from Microsoft, the U.S. National Security Agency and a number of security firms that urged organizations that have devices running vulnerable systems to patch them as soon as possible.
On Wednesday, Graham tweeted: "I did an internet scan last night and found 730,000 machines still vulnerable to Bluekeep, down from my first scan in May that found 920,000 vulnerable."
Graham says BitSight's results are probably more reliable than his scans. "I just do a quick-and-dirty scan, whereas they've spent more time looking at their results and refining their scans. That both our numbers are close hints we aren't too far off."
BlueKeep is a serious vulnerability that could enable attackers to compromise Remote Desktop Services in Windows, which enables access to networked computers via remote desktop protocol. Attackers who successfully exploit the flaw could gain full, remote access to a system, including the ability to create user accounts and give them full administrator privileges, as well as to execute any code.
"The vulnerability requires no authentication and is regarded as 'wormable,' meaning that if it were successfully exploited it could be used by self-replicating malware to spread across the internet rapidly," security firm Sophos warns in a new report. "WannaCry and NotPetya used a similarly wormable flaw in Microsoft’s SMB v1 to spread around the globe in a matter of hours."
One saving grace - so far at least - is that security experts have yet to see any in-the-wild attacks that use BlueKeep. But until companies patch, they remain at risk.
"Patching, or rather good cyber hygiene, is an integral component of every company's defense against cyberattacks," Raj Samani, chief scientist at McAfee, tells Information Security Media Group. "The RDP vulnerability recently reported - and in particular the number of systems that remain unpatched - shows that the fundamentals of good cyber hygiene remain overlooked for so many companies."
That's despite an unprecedented level of warnings having been issued to beware BlueKeep. "The rate at which the patching occurs is an interesting question because there's nothing quite comparable in terms of the combination of severity and encouragement of patching in the last 10 or so years," Dan Dahlberg, director of security research at BitSight, tells ISMG.
Dahlberg compares BlueKeep to the SMB_v1 flaw in Windows - aka EternalBlue - which paved the way for such attacks as WannaCry in 2017. Although Microsoft issued a patch to fix the SMB_v1 flaw, many organizations failed to implement the patch until WannaCry hit.
Countdown to Exploits
While a BlueKeep exploit hasn't yet been seen in the wild, the U.S. Department of Homeland Security and some cybersecurity firms have developed proof-of-concept exploits, although none have been publicly released. There are concerns among security researchers, however, that bad actors are developing exploits, and proof-of-concept code reportedly has been released online. There was enough concern that Microsoft in late May took the unusual step of issuing a second alert about BlueKeep.
"This a particularly notable threat to many of these organizations, both those that have systems exposed externally on the network - that have those services opened and have those systems unpatched - and those that have systems internally unpatched but don't necessarily have something exposed externally," Dahlberg says.
The age of the Windows systems vulnerable to BlueKeep may help explain why so many still remain unpatched.
Dahlberg notes that many of the devices running older Windows systems don't have modern patch management systems and inventory controls.
In addition, some legacy systems have poor documentation or are outside of the supervision of corporate IT, Fausto Oliveira, principal security architect at authentication company Acceptto, tells ISMG. "There are some false misconceptions on the market, like if the OS is going [end-of-life], let's not spend money on it until we replace it, which sometimes could be years away," he adds.
Richard Gold, head of security engineering at digital risk protection firm Digital Shadows, tells ISMG that a key issue for customers is "simply finding all the machines that are vulnerable. Then, secondarily, is the issue of taking those machines offline to patch, particularly in the cases where there is not a hot standby - a secondary system which can be used to cover for the primary."
Other issues include organizations not knowing that they have a system with the vulnerability. Plus, some executives initially don't react to a vulnerability, waiting until the threat takes greater shape and becomes more real, Dahlberg says.
"What is most concerning is that failure to quickly act on emergent security issues is not a new phenomenon," Mike Weber, vice president of labs at cyber risk management firm Coalfire, tells ISMG. "The industry has been facing this problem for years, and it's imperative for organizations to have a dynamic criticality evaluation process and emergency change management procedures to remediate these business-critical issues when they arise."
Different Industries, Different Results
Certain industries have fared better than others when it comes to patching their systems against BlueKeep, according to BitSight.
The most responsive have been the legal field (with a 33 percent reduction in the number of vulnerable organizations), nonprofit and nongovernmental organizations (27 percent) and the aerospace and defense industry (24 percent), according to the vendor's figures. The consumer goods, utilities and technology industries were the least responsive, with as low as a 5.3 percent reduction.
The key to protecting a company against BlueKeep or any such flaw is patching, Coalfire's Weber says.
"Microsoft acted commendably quickly in releasing patches for both active and end-of-life products, and the NSA made additional recommendations, such as disabling remote desktop services and associated ports if not used, etc.," Weber says. "But these are only successful if implemented. … Companies must learn from previous large-scale examples, such as NotPetya, that patching is an essential part of any security program."
Executive Editor Mathew Schwartz contributed to this article.