Microsoft has announced the BlueKeep vulnerability, a wormable Remote Desktop vulnerability that has a high potential of being exploited in legacy operating systems. Be warned, this vulnerability can be exploited remotely with no authentication required. Protect yourself from what people are calling the next WannaCry.

1. EVERYTHING YOU NEED TO KNOW
ABOUT BLUEKEEP
Chris Goettl
Director of Product Management, Security
Brian Secrist
Staff Quality Assurance Engineer

2. Agenda
 BlueKeep – What we know so far
 Details about CVE-2019-0708
 Remediation vs Mitigation
 Driving toward a 14 day ‘Time to Patch’
 Do you need a quick fix for those XP and 2003 systems?
 Special Extended Trial Offer

3. BlueKeep News
 May 14th, 2019 – Patch Tuesday
 Microsoft warns of critical vulnerability that is ‘Wormable’
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-
updating-remote-desktop-services-cve-2019-0708/
 Brian Krebs relates this to the 2017 WannaCry event
https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-
windows-xp-7-and-windows-2003/
 Microsoft CVE describing the vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-
2019-0708

4. Copyright©2019Ivanti.Allrightsreserved
CVE-2019-0708 “BlueKeep”
• A remote code execution vulnerability exists in Remote Desktop Services
(fka Terminal Services) that could allow an attacker to execute arbitrary code
on the affected system. This vulnerability is pre-authentication and
requires no user interaction. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.
• “This vulnerability is pre-authentication and requires no user interaction. In
other words, the vulnerability is ‘wormable’, meaning that any future malware
that exploits this vulnerability could propagate from vulnerable computer to
vulnerable computer in a similar way as the WannaCry malware spread
across the globe in 2017. While we have observed no exploitation of this
vulnerability, it is highly likely that malicious actors will write an exploit for this
vulnerability and incorporate it into their malware.”
Simon Pope, Director of Incident Response, Microsoft Security Response Center

5. Copyright©2019Ivanti.Allrightsreserved
How many systems are vulnerable?
of Windows workstations
globally are vulnerable.35%
16
Million public facing systems
listening on ports 3389 and 3388

6. Copyright©2019Ivanti.Allrightsreserved
How big of an impact could this vulnerability be?
The May 2017 global malware epidemic WannaCry affected some
200,000 Windows systems in 150 countries. Total economic impact
was estimated at $4 billion. Source: Wikipedia.

7. Copyright©2019Ivanti.Allrightsreserved
What might the next WannaCry look like?
Ransoms paid to WannaCry
only reached $72k by 5/17
By Aug 2017 the attackers
cached out at $140k
What if the next WannaCry
were to mine BitCoin
instead?
An average GPU could generate around $40 per month in BitCoin
$40 x 200k systems x 5 months = $40 Million mined

8. BlueKeep News
 May 15th, 2019 – Social Media and GitHub activities begin
 The race begins and social media is
https://mobile.twitter.com/BlueKeepTracker
 May 17th, 2019 – PoC available on GitHub, fake PoCs also
 PoC available on GitHub, currently not able to inflict damage
https://www.askwoody.com/2019/theres-now-a-freely-available-proof-of-
concept-exploit-for-the-wormable-winxp-win7-bug/
 May 20th, 2019 – BSOD achieved
 @GossiTheDog on twitter shared
Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic.
Three different researchers at different companies have reached this stage
so far. Note this in itself does not allow code execution.

9. BlueKeep News

10. How do we prevent another
WannaCry?

11. Copyright©2019Ivanti.Allrightsreserved
Remediation vs Mitigation
 Patching the vulnerability is the best option
 Mitigation Options:
 If updating immediately isn’t an option, consider turning off Remote Desktop
Services. Where Remote Desktop Services are required, consider turning on
network-level authentication (NLA) for RDP as that mitigates likely remote vectors
for exploitation. Note that even with NLA enabled, users that have authenticated to
RDP could still exploit this vulnerability to elevate privileges.
 Reduce the risk of internet-exposed machines with RDP enabled by placing them
behind an authenticated gateway or a firewall.

12. Copyright©2019Ivanti.Allrightsreserved
Remediation vs Mitigation
 Additional Mitigation Options:
 In instances where NLA would break applications or workflows, Windows Defender
Firewall can be used to enforce authentication via Kerberos prior to accessing the
port.
 If physical network segmentation or NLA are not options for preventing remote
unauthenticated access to RDP, use Remote Desktop Gateway to secure RDP
access.
 Customers evaluating the risk posed by this vulnerability should account for
potential attacks within the perimeter of their networks. Past malware has used
similar vulnerabilities to spread within enterprise environments after gaining a
foothold within the network.
 Attackers might utilize this vulnerability to cause disruption by crashing vulnerable
systems. Unusual crashes in termdd.sys should be investigated as a potential use
of this vulnerability.

13. Copyright©2019Ivanti.Allrightsreserved
Shorten Vulnerability Remediation or ‘Time to Patch’
DHS gives agencies 15-day deadline to patch security flaws
 https://www.zdnet.com/article/dhs-gives-agencies-15-day-deadline-to-
patch-security-flaws/
 Original mandate BOD 15-01 released in 2015 requiring DHS agencies to resolve security
vulnerabilities in 30 days.
 DHS agencies went from an average of 149 days to 20 days to remediate critical security
vulnerabilities.
 BOD 19-02 drives the mandate down to 15 days for critical and 30 days for high severity
vulnerabilities.
Why 15 days?

14. Copyright©2019Ivanti.Allrightsreserved
Time to Patch
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
• Shorten Time to Patch
• IdentifyAutomate the bottlenecks
• Shorter Test Cycles – Clearly Communicated Stages
• More User Participation – Pilot Groups for Critical Apps
• Classify Applications that need to be done more frequently

15. Defense In Depth
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
#1 Application Control
#2 Privilege Management
#1 Patch Management to reduce Attack Surface
#2 Application Control to block malware and untrusted payloads
#3 Privilege Management to prevent lateral movement pivot

16. Help prevent the next
WannaCry!

17. Ivanti Wants to Help Prevent the Next WannaCry
 Special Extended Trial Offer
 Ivanti Security Controls – Patch, Application Control, Privilege Management
 90 days
 1000 systems
 No strings attached.
 Installed and running your first assessment in 30 minutes or less
 Fill out this form to get your free 90 day license.
 https://go.ivanti.com/Web-FT-ISeC-BlueKeep.html
 Most important, Patch CVE-2019-0708!

18. Thank You

19. Why are you still here?
The webinar is over.
You should be Patching!
You’re still here?
It’s over.
You should be Patching!