The Australian Cyber Security Centre warns it is way past patching time for all users of Windows 7, Vista or XP, as well as Windows Server versions 2008 or 2003.
A new exploit for a security hole called BlueKeep was revealed late last week, according to the ACSC, which has been telling all users of these older Microsoft products to apply a security patch for the last month or so.
“Australian businesses and users of older versions of Windows should update their systems as soon as practically possible, before hackers further refine their tools and tradecraft in order to fully utilise this exploit,” says the team, which is part of the Australian Signals Directorate.
The BlueKeep patch was released by Microsoft on August 8, along with detailed advice on guarding against it, but the ACSC issued its latest warning on September 7 after it became aware of a new “working exploit” for the vulnerability. This follows previous ACSC warnings about BlueKeep in June and August as well as “detailed mitigation advice” on what to do about it.
The software maker’s Detection and Response Team (DART) had this to say in a blog post last month:
“The BlueKeep vulnerability is ‘wormable,’ meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10-to-12 million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.”
The Microsoft DART adds pointedly that these two previous worm outbreaks in 2008 and 2017 happened months after it released patches that would have prevented them if more users had actually applied them. “Hopefully, this will encourage everyone to patch immediately.”
The ACSC made the same point and says users of any version of Windows should either deny access to Remote Desktop Protocols directly from the internet, or protect these sensitive systems using a Virtual Private Network with multi-factor authentication. “As a rule, it’s important to always install manufacturers’ updates as soon as possible.”
DART offers more detailed advice on keeping Remote Desktop systems safe from a whole range of attacks. “It’s important to note that the [BlueKeep] exploit code is now publicly and widely available to everyone, including malicious actors. By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.”
The Microsoft team said it could see over 400,000 vulnerable endpoints that are at risk from “a worm-based weaponization of the BlueKeep vulnerability” and the implication is that their counterparts in the malicious software game can scan around for weak points, too.
The ACSC told governments and operators of critical infrastructure about the BlueKeep vulnerability in August, after it was revealed on Twitter.
“The disclosure … is anticipated to increase the amount of RDP scanning actively, increasing the chances of attempted exploitation of unpatched systems,” it warned at the time, estimating that 50,000 devices owned by Australian organisations could be at risk.
“Any organisation or business that relies on the older Microsoft systems is at risk,” said Rachel Noble, who leads the small agency. “The compromise of an unpatched system could increase the chance that your network could be exploited.”