Home / Blog / General / Threat Intelligence June 2019: NSA Issues Rare Warning to Patch Against Bluekeep Vulnerability

November 6, 2019

June 2019 Threat Intelligence (CRITICAL ALERT)

The US National Security Agency (NSA) are warning Microsoft Windows users of a major security vulnerability. The NSA recommend that Windows administrators update their systems so that they are protected against CVE-2019-0708 also known as “BlueKeep”.

Although Microsoft issued a patch for CVE-2019-0708 back in May, they predict that one million devices were not issued with the update and are left highly vulnerable.

What is ‘BlueKeep’?

BlueKeep is a type of malware that leaves those with old versions of Windows exposed to cyber-attacks. Both Microsoft and the NSA are urging users of Windows 7, Windows XP and Server 2003 and 2008 to update their systems immediately.

Microsoft has issued a warning stating that almost 1 million computers connected to the internet are presently vulnerable to the ‘BlueKeep’ worm, particularly leaving those amongst a corporate network at risk.

Microsoft States in a Security Notice…

“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.”

Along with Microsoft’s warning, the NSA release its own alert:

“It is likely only a matter of time before remote exploitation code is widely available for this vulnerability, NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

The BlueKeep worm has been considered highly dangerous and is being compared to the ‘WannaCry’ virus which infected hundreds of thousands of computers globally in 2017, while also causing billions of dollars worth of damage.

The NSA recommend security teams take 3 other steps as well as applying the patch to keep attackers from taking advantage of BlueKeep:

  • Block TCP port 3389 at the firewall, this port is used by the RDP and attackers could use this open port to establish a connection to the network.
  • Enable network-level authentication because an attacker would need valid credentials to perform remote code authentication.
  • Disable remote desktop services if these tools are not being used.

Related Articles: