Network Level Authentication

Got Some Critical News to Share…

The Situation:

Yesterday (May 14), Microsoft issued a global warning about a monster computer bug and provided links to download critical security updates for the vulnerability which is being referred to as “BlueKeep”, this article provides you with some of the details about why this threat could be very important to your business and includes the steps you that should take to prepare and protect your environment ahead of the expected volumes of attempted exploits of this vulnerability.

Microsoft’s Monster Computer Bug is just one of three very high-profile computer-security alerts issued just this week, along-side Cisco’s Massive Router Bug (global warning) and Intel’s Chip ZombieLoad Bug (affects nearly every Intel chip manufactured since 2011). The flaw mainly affects older Windows operating systems like Windows 7 and Windows Server 2008. To highlight just how serious this threat is predicted to be, Microsoft issued an update for affected, out-of-support Windows operating systems including Windows XP and Server 2003.

This vulnerability is viewed so critically that Microsoft added that the vulnerability and unpatched systems are “highly likely” to be exploited by malicious software like the WannaCry worm. Any “future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer like the WannaCry malware spread across the globe,” Microsoft said Tuesday in a blog post.

You remember how WannaCry spread across the globe two years ago, right?

WannaCry spanned 150 countries, crippled over 100,000 businesses (infecting several hundreds of thousands of systems), and amassed an estimated $4 billion in damages.

No organization can afford a repeat of WannaCry, and you can prevent it by taking immediate action.

“Fortunately, Windows 10 and Windows 8 are not affected by the flaw”, Microsoft said.

 

The Important Stuff about the Monster Computer Bug

This is a Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – (aka, Terminal Services) that affects older versions of Windows. Remote Desktop Protocol (RDP) itself is not vulnerable. The vulnerability however exists prior to authentication (pre-authentication) and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer just like WannaCry.

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Key Take-Aways

  1. To exploit the monster computer bug, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
  2. The Windows update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

 

How to Get Ahead of This Type of Vulnerability?

Spyglass is the Security and Compliance Solutions team at Catapult. We work with our Managed Services teams, Solution Practice Leaders, Communities of Practice, and partners to collaborate on security solutions, provide remediation assistance, and in this case share knowledge to proactively heed warnings of emerging threats – all, in order to protect our clients. Below are a few practical tips that you can take to reduce your risk of becoming compromised by this particular monster computer bug.

:

1 – Use Complex-Passphrases and Multi-Factor Authentication (MFA)

Use strong passphrases and multi-factor authentication on any accounts with access to Remote Desktop. This should be mandatory before enabling Remote Desktop to admins and/or users. There are advanced capabilities for both passwords and multi-factor authentication (MFA) which can be leveraged, including password-less strong authentication and conditional multi-factor, but this article is designed to generalize an approach for all.

2 – Limit users who can log in using Remote Desktop

For convenience, many organizations historically allowed all of their Administrators (Privileged Users) to use Remote Desktop. This practice has since been viewed as risky, especially when there exist no additional protections such as MFA. Yet, many organization still operate in this manner. If you have multiple Administrator accounts on your computer, you should restrict remote access to only those that need it. If Remote Desktop is not used for system administration, remove all administrative access to RDP and only allow user accounts requiring RDP service.

To control access to the systems further, using “Restricted Groups” via Group Policy is also helpful.

3 – Patch Your Systems

Apply all security patches and software updates from Microsoft. Please check out the companion article “Operation Monster Smash – Part 2” written by my colleague, Cameron Fuller, for some important advice and tips related to patching.

4 – Upgrade Your Windows Operating Systems

Again, check out Cameron’s Part 2 article for tips and details on migrated your environment to up-to-date operating environments. Sure, we get it; everything is time consuming and migrations can be complex. That’s where Catapult Launch can help you. However, it should be intuitively obvious by now that nobody should be running on operating systems that are no longer supported (such as Windows XP, Windows Vista, or Windows Server 2003). Just compare the cost of upgrading your Windows operating systems with the much larger cost of a data breach (the average cost is over $4 million USD) and the choice becomes clear.

5 – Don’t Need RDP? Then, Why Not Shut It Off

Although Windows Remote Desktop is useful, bad-actors can attempt to exploit it to gain control of your system to install malware or exfiltrate sensitive information. It’s a good idea to keep the feature turned off unless you need it (reducing your attack surface). You can disable it easily, and you should do so unless you need the service. Our partners (such as 1E) create powerful security solutions that Catapult and our clients leverage to help innovate “just-in-time” access. For example, 1E’s Tachyon solution, among other features can disable a service across your enterprise and enable it for only when it is needed.

6 – Set an Account Lockout Policy

Configure your systems to lock an account for a period of time after a number of incorrect sign-in attempts. This prevents bad-actors from using automated password-guessing tools from gaining access to your systems.

7 – Change the Listening Port for Remote Desktop

Changing the listening port will help to “obfuscate” Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). While obfuscation is not really considered a reliable security technique changing the RDP port can offer some protection against automated/unsophisticated drive-by worm attacks.

8 – Implement Microsoft Defender Advanced Threat Protection

While Win 10 is not necessarily vulnerable to this particular monster computer bug, Microsoft Defender Advanced Threat Protection (aka, Windows Defender ATP) provides tremendous threat and vulnerability management protection from old and new known attacks, unknown attacks (zero-day), malicious payloads, and even payload-less malware. What if a server in your environment was compromised via the RDP vulnerability cited here, and the bad-actor designed a zero-day attack to exfiltrate your data or deploy a unique ransomware? Microsoft Defender ATP might be your last/best line of defense. Check out Microsoft Defender ATP for more information.

9 – Monitor devices for suspicious activity before and after updates

Bad actors are cunning. They first establish a beach-hold in your systems by a broad range of tactics, (e.g., phishing accounts for over 80% of these intrusions). Then, they sit dormant as they listen, learn, and test your environment for weaknesses in order to elevate their access level. If you wonder how long a bad-actors typically operate within a compromised environment take a look at FairWarning’s summary of the “Ponemon: The Average Cost of a Data Breach 2017 Summary” that reveals, among other useful statistics, that companies in the United States  companies took an average of 206 days to detect a data breach. That’s nearly two-thirds of a year.

 

In summary, the monster computer bug referenced in this article is considered high-critical. However there are a number of steps as mentioned (above) that you can take to prevent it from impacting your business. Don’t hesitate to contact Catapult’s Spyglass team if you have questions about your security, or if you need assistance improving your security posture through Coaching and On-Demand Expertise. We are here to help.

 

Till next time,

Ed