June 2019 Threat Intelligence (CRITICAL ALERT)
The US National Security Agency (NSA) are warning Microsoft Windows users of a major security vulnerability. The NSA recommend that Windows administrators update their systems so that they are protected against CVE-2019-0708 also known as “BlueKeep”.
Although Microsoft issued a patch for CVE-2019-0708 back in May, they predict that one million devices were not issued with the update and are left highly vulnerable.
What is 'BlueKeep'?
BlueKeep is a type of malware that leaves those with old versions of Windows exposed to cyber-attacks. Both Microsoft and the NSA are urging users of Windows 7, Windows XP and Server 2003 and 2008 to update their systems immediately.
Microsoft have issued a warning stating that almost 1 million computers connected to the internet are presently vulnerable to the ‘BlueKeep’ worm, particularly leaving those amongst a corporate network at risk.
Microsoft states in a security notice...
It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.
Along with Microsoft's warning, the NSA release its own alert:
"It is likely only a matter of time before remote exploitation code is widely available for this vulnerability, NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems."
The BlueKeep worm has been considered highly dangerous and is being compared to the ‘WannaCry’ virus which infected hundreds of thousands of computers globally in 2017, while also causing billions of dollars worth of damage.
The NSA recommend security teams take 3 other steps as well as applying the patch to keep attackers from taking advantage of BlueKeep:
- Block TCP port 3389 at the firewall, this port is used by the RDP and attackers could use this open port to establish a connection to the network.
- Enable network-level authentication because an attacker would need valid credentials to perform remote code authentication.
- Disable remote desktop services if these tools are not being used.
- The 8 most common types of cyber attack, explained
- [THREAT INTEL] Microsoft urges windows users to patch critical update now
- Is ransomware the biggest threat to your IT security?
- A buyers guide to patch management software
- Types of penetration test - what’s the difference?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.