Lets keep the cool names coming.
So as part of a research project, the 70+ million Canadian IP addresses were scanned by someone I know... cough cough.... for port 3389 which hosts the progressively more famous and exploitable Microsoft RDP service.
Now keep in mind that many have multiple RDP services scattered across numerous ports, so 3390, 3391,.... but only 3389 was tested. It is a certainty that many move RDP services are exposed on the Internet
For RDP3389: 102,434 systems responded and are facing the Internet today.
Just sitting there, handing over valuable information.
As an example, just grabbing an RDP screenshot can give you pictures, but more importantly usernames and OS versions.
So obviously giving away your OS version along with usernames isn't ideal, but having an exploitable operating system that has not been patched sitting on the Internet is even less ideal.
So I asked my "friend" to test out the 102 thousand IP addresses to see how many would be exploitable.....
Drum roll please
Over 10,000 Internet facing systems in the Canadian IP range remain exploitable even after significant media coverage.
These devices will more than likely be hit by malware in the coming weeks since finding them does not require ANY real technical skill, and the exploits for BlueKeep are being weaponized as we speak.
Here are the actual statistics:
* Note: RDP can be found on other ports, we only tested 3389
* But still shouldn't be open on port 3389 facing the Internet
* Tests did not conclude
Even the NSA is pushing news articles about how bad these attacks will be. After all, they don't want everyone using the exploit now that they can't be the exclusive user of the attack.
And Microsoft, who knows that many enterprises are still using aging systems like Windows XP actually pushed out updates for systems that haven't been supported in years. That should be a sign that this update is worth investigating and acting on. They even published numerous warnings.
So once again we are faced with the same age old issue of patching.
But keep in mind that when I tested Heartbleed in 2014, I found over 40,000 systems unpatched and exploitable within the Canadian IP range. When I tested in 2018 about 10,000 remained. This was for a vulnerability that literally spat out confidential information in 64k blocks.
So using this trend, BlueKeep will be around for awhile.
And also, corporate "America" is going to focus on patching the external facing systems while ignoring the internal ones which means that when Jenny the new less than bright CSO that was put in place to give that traded company plausible deniability clicks on that juicy phishing email, the lateral movement across the internal network is going to be easy for years to come.
So, once again, two lessons to learn here:
1) Patch all your systems for critical exploits
2) Know your inventory so you get them all
3) Place RDP behind a VPN, because password guessing and other attacks on RDP still exists or will surface!
4) Don't hire fake paper security experts to fill in a role and help shovel IT risks under the rug so that the shareholders feel all cozy
Wait.... that was four.... damned Thursday morning Jello shots.
I have to go, my phone is ringing with yet another Ransomeware victim who had to find $60,000 in bitcoins before midnight ;-)
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on: