BlueKeep Can Infect Almost 1M Machines; Patch Now!!

New vulnerabilities appear hourly and companies and individuals who do not patch their software quickly are at risk of being attacked thanks to malicious users, nation-states, organized crime, terrorists and others who are scanning the internet constantly.

One of the more recent exploits is BlueKeep. The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and it was addressed by Microsoft with its May 2019 Patch Tuesday updates. The flaw has been described as wormable and it can be leveraged by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.

An unauthorized user can use RDS or Remote Desktop Protocol to take over a machine with devastating consequences.

Errata Security’s Robert Graham has conducted an internet scan using the masscan port scanner and a modified version of rdpscan and found more than 923,000 devices that appear to be vulnerable to BlueKeep attacks. There were close to 8 million results – many of which were junk he explained.

He continued:

There are two things you should do to guard yourself. The first is to apply Microsoft’s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers. 
More importantly, for large organizations, is to fix their psexec problem that allows such things to spread via normal user networking. You may have only one old WinXP machine that’s vulnerable, that you don’t care if it gets infected with ransomware. But, that machine may have a Domain Admin logged in, so that when the worm breaks in, it grab those credentials and uses them to log onto the Domain Controller. Then, from the Domain Controller, the worm sends a copy of itself to all the desktop and servers in the organization, using those credentials instead of the vuln. This is what happened with notPetya: the actual vulnerability wasn’t the problem, it was psexec that was the problem.

The bottom line is patch, patch, patch! Do it often and do it as soon as they are available. Armies of hackers are hoping you and your company do not.