Thursday, June 13, 2019

BlueKeep.... the new silent killer affects thousands of Canadian Internet facing systems

Surely you must have heard that the next wave of attacks will come through a newly minted and named vulnerability called BlueKeep.  


Lets keep the cool names coming.

So as part of a research project, the 70+ million Canadian IP addresses were scanned by someone I know... cough cough.... for port 3389 which hosts the progressively more famous and exploitable Microsoft RDP service.   

Now keep in mind that many have multiple RDP services scattered across numerous ports, so 3390, 3391,....  but only 3389 was tested.  It is a certainty that many move RDP services are exposed on the Internet

For RDP3389: 102,434 systems responded and are facing the Internet today.

Just sitting there, handing over valuable information.

As an example, just grabbing an RDP screenshot can give you pictures, but more importantly usernames and OS versions.


So obviously giving away your OS version along with usernames isn't ideal, but having an exploitable operating system that has not been patched sitting on the Internet is even less ideal. 

So I asked my "friend" to test out the 102 thousand IP addresses to see how many would be exploitable.....

Drum roll please

Over 10,000 Internet facing systems in the Canadian IP range remain exploitable even after significant media coverage.

These devices will more than likely be hit by malware in the coming weeks since finding them does not require ANY real technical skill, and the exploits for BlueKeep are being weaponized as we speak.

Here are the actual statistics:

            IP ADDRESSES IN CANADA: 71.9 Million
            PORT 3389 IN CANADA: 102,434    
            * Note:  RDP can be found on other ports, we only tested 3389
            SAFE: 66,758 
            * But still shouldn't be open on port 3389 facing the Internet
            UNKNOWN: 17,116
            * Tests did not conclude
            VULNERABLE: 10,351

Even the NSA is pushing news articles about how bad these attacks will be.  After all, they don't want everyone using the exploit now that they can't be the exclusive user of the attack.

And Microsoft, who knows that many enterprises are still using aging systems like Windows XP actually pushed out updates for systems that haven't been supported in years.  That should be a sign that this update is worth investigating and acting on.  They even published numerous warnings.

So once again we are faced with the same age old issue of patching.

But keep in mind that when I tested Heartbleed in 2014, I found over 40,000 systems unpatched and exploitable within the Canadian IP range.  When I tested in 2018 about 10,000 remained.  This was for a vulnerability that literally spat out confidential information in 64k blocks.

So using this trend, BlueKeep will be around for awhile.

And also, corporate "America" is going to focus on patching the external facing systems while ignoring the internal ones which means that when Jenny the new less than bright CSO that was put in place to give that traded company plausible deniability clicks on that juicy phishing email, the lateral movement across the internal network is going to be easy for years to come.

So, once again, two lessons to learn here:

1) Patch all your systems for critical exploits

2) Know your inventory so you get them all

3) Place RDP behind a VPN, because password guessing and other attacks on RDP still exists or will surface!

4) Don't hire fake paper security experts to fill in a role and help shovel IT risks under the rug so that the shareholders feel all cozy

Wait.... that was four.... damned Thursday morning Jello shots.

I have to go, my phone is ringing with yet another Ransomeware victim who had to find $60,000 in bitcoins before midnight ;-)


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...