Two weeks following Microsoft’s warning of Windows RDP worms, a million internet-facing boxes are still vulnerable.
Designated CVE-2019-0708 and called BlueKeep, the flaw can be misused by malefactors to perform malevolent code and install malware on susceptible machines without the need for any user verification: a hacker simply has to be able to reach the box across the internet or network in order to hijack it.
It is termed as a “wormable” security hole because it is likely to write a worm that spreads automatically, tainting a machine and then attacking others. Two weeks ago, Microsoft issued security covers for systems going back to Windows XP to put an end to this virus, with everyone urged to install them.
Therefore, after a fortnight, how many susceptible internet-facing machines are still out there, waiting to be attacked and commandeered? Rob Graham of Errata Security claimed today he has already found closely one million unpatched boxes uncovered on the internet.
Graham said he was specifically able to, over the course of a few hours, find some 932,671 public-facing computers still susceptible to CVE-2019-0708. To do this, he skimmed the public internet for machines that had the Windows Remote Desktop network port (3389) open, using his masscan tool, and against those 7,629,102 matching machines, he ran a second script that snuffled out whether each box was running a susceptible version of the service.
Some 932,671 were found running susceptible Windows RDP services, 1,414,793 systems were patched, 1,235,448 were endangered by additional CredSSP/NLA security checks, 82,836 were found to be running HTTP servers on port 3389 and thus not susceptible, and the rest either timed out or the connection failed in some way.
Graham said that the outcome is that these tests approve that roughly 950,000 machines are on the public internet that are weak to this bug. “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”
Graham said such chaos could be on a par with the ruin caused in 2017 by the eruption of the WannaCry and NotPetya ransomware contagions. With hackers already working on automated exploits (tools to scan for at-risk machines on networks have been released), a worm could effortlessly get into the hundreds of thousands of unprotected machines.
What’s worse is that a lot of organizations will perhaps have some elapsed susceptible RDP-enabled machine facing the internet with working domain admin credentials stored on it, which can be stolen by Remote Desktop hackers and worms to further infiltrate networks. Graham told The Register that such a situation – domain admin credentials lifted from a compromised box – is tragically all too common in corporate environments these days.
“Most businesses have this problem,” Graham said. “They do a poor job of restricting domain administrator privileges.”