RDP and BlueKeep: What You Need To Know

On May 14th, 2019, Microsoft released a patch for a pre-authentication vulnerability affecting several versions of Windows. Microsoft even released a patch for end-of-life software because the vulnerability is so serious that it has the potential to create a WannaCry-styled global outbreak. In this post, we’ll talk about RDP, the vulnerability, and how you can make sure that you’re secure.

RDP: Already Known to be Trouble

Remote Desktop Protocol is a Microsoft-based service that allows a user to remotely connect to a device and interact with it through a virtual interface. It’s like a screen share where you can control what’s happening on the projected screen. RDP is a very useful tool but was never intended to be exposed to the public Internet. If it is ever compromised, the attacker can do just about whatever they want; it’s as if they were sitting in front of the physical device.

RDP has a lot of known issues. In fact, RDP is one of the most common entry vectors for ransomware. The SamSam campaign has targeted dozens of organizations, bringing down hospitals and local government. Attackers scan the global Internet looking for exposed devices open on RDP and then attempt a brute-force password guessing attack. If strong passwords and lockouts aren’t used, the attacker can gain direct access to a user’s machine and then begin to move laterally. It’s incredibly dangerous to have one thin layer separate attackers from a user’s device, which is exactly how RDP operates when it is publicly exposed.

WannaCry 2.0

RDP is already known to be risky. But CVE-2019-0708 — also known as BlueKeep — takes things up a notch by allowing an attacker to remotely execute code pre-authentication with no user interaction. This is just about as bad as it can get for a vulnerability. All an attacker needs is a vulnerable device; no user to click on anything, no privileges, nothing. And the complexity of the attack is low, meaning that attackers will reverse engineer the exploit quickly.

The result could be a program that seeks out vulnerable devices (of which there are many), automatically infects them, and then continues to spread. These worms, which are self-propagating infections, are the worst kind and can quickly spiral out of control.

In 2017, WannaCry infected around 200,000 machines across 150 countries via a similar mechanism (SMB). Hospitals were hit especially hard, rendering their computer systems unusable. An RDP worm could cause similar damage, making this a vulnerability that’s especially important to patch immediately.

Cover Your Assets

With all of the dangers associated with RDP, you might think that it is tightly controlled and rarely exposed. But you’d be wrong. In the past two weeks, Expanse observed RDP instances exposed at 50% of the Fortune 500. Seventy percent of the Fortune 100 had at least one exposure in the past three months.

Why are these exposures so common? Mostly because they occur in an organization’s blind spot, namely cloud and ISP IP space. Some employees purposely expose their laptops on RDP to get work done. Other times, misconfigurations can result in an employee’s laptop being exposed while they travel.

These exposures occur outside of an organization’s known IP space. It could be in IP space registered to a coffee shop, a hotel chain, or their home Internet connection, but it can be nearly impossible for the security team to detect the exposure unless they are monitoring the global Internet.

Expanse identifies rogue RDP exposures via signature-based detection. Cyber risk analysts use Expanse’s internal mapping engine to discover and track specific configuration details. These are used to track RDP exposures no matter where they occur. Exposures that reside in on-prem, cloud environments, consumer dynamic IP space, or any other portion of the Internet can be found when you monitor everything.

Want to learn more about Expanse? Request a demo today.