Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years. The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user …
First, you commit the mistake to think about only desktop versions - many machines with RDP enabled are server ones. This vulnerability does impact 2008 and 2008R2 machines, and even if they're going EOL too, we all know how upgrading servers is usually more complex (and expensive) than desktops.
For Microsoft, anyway this is a good opportunity to hasten people to upgrade, or migrate to Azure...
throw into the mix the fix for 2k3 and all the way up including XP right past 2k8.
with them even releasing it for those dinosaurs it shows how prevalent it is and its being actively used in the wild.
Get inside the perimeter and suddenly those old boxen with smb 1 enabled ssl1 n 2, tls 1.0... plus that and <insert a plethora of escalation priv bugs atm> or steganography into exchange get system and then use this across the prod ring as system.
gateway to a potential 5h1tstorm, its a 512kb exe patch and 1 restart get it done already, why have a look at Baltimore (still), my dinos were patched within 24hours of the release of said patch, despite them being carbon black in lockdown mode.
Yep its a finger in a small gaping wound, when they have more sec holes than a swiss cheese all over. Id kill them if i could but we cant quite yet, Azures what im reccomending, get them the f off my local estate of 2k12 n 16s
“So having garbage security is now a revenue stream? Great.....”
Relying on out-of-the-box features in a 10+ year old OS leads to requirement to upgrade or use alternative product shocker.
At places I’ve worked, RDP open to the Internet never made it past a security review anyway. It either went through a load balancer as HTTPS to Citrix /VDI or required site-to-site/client VPN. YMMV.
It only applies to versions that are already out of support, or will be in less than a year.
And there are still a lot of machines out there that cannot be upgraded for several reasons:
1. A critical software will only work with that version;
2. Manufacturer "could care less" to upgrade the firmware to a model that is deemed "end of support" (translation: Pay up to upgrade to a more expensive model).
At the end of the day, a lot of owners don't have the funds to get this issue fixed until they get hacked.
"Specifically, Graham said he was able to, ... find some 932,671 public-facing computers still vulnerable to CVE-2019-0708. To do this, he scanned the public internet for machines that had the Windows Remote Desktop network port (3389) open"
Given a common practice is to use a non-standard port for Internet RDS access, I expect significantly more public facing computers are still vulnerable. One hopes that they have firewalls with port scanning detection and blocking enabled.
I suspect any site/IP address that Shodan reports the presence of an MS service eg. Exchange, IIS (but not RDS) will odds on also have an MS RDS Server on a non-standard port.
A thumb-up for pointing out that many RDP services are on non-standard ports, but I can assure you that I bawl the shit out of people for putting RDP straight on the internet on *any* machine, even if it runs Exchange / IIS.
At the *very* least, put a Remote Desktop Gateway in there. Minimum.
“Given a common practice is to use a non-standard port for Internet RDS access“
Fingerprinting services via slow scans means that the baddies know where your publicly accessible services are hiding, even if you use non-standard ports. The exception being if you use port knocking.
They may not appear in these figures, but I guess people people will find out soon enough if they avoided this.
Why on earth are there over a million public-facing open RDP ports in the first place?
Because of various reasons.
1. PHB decreed that it is too much of a schlepp to VPN first
2. Techie got booted and a beancounter is running the IT show
3. n00b IT techie thinking that a strong P455w0rd will keep them ne'er-do-wells out for good. Muhuhaha
4. Some pissed-off IT guy somewhere did this on purpose to nuke the company's network
5. Router does not support PPTP VPN or PPTP VPN passthrough, so they're using RDP passthrough.
6. Some researcher did this on purpose to see if their product can migitate a bad event.
PROTIP : The brilliant idea of changing the RDP port from default 3389 to something else DOES NOT HELP. A portscan will sniff it out and your ass will see a six-pack whoopass.
This post has been deleted by its author
Yep, heard that many times. My favourite was when I needed to setup an outbound FTP connection from a server to pick up some files only to find out that the FTP port was blocked. The net-admin told me the FTP port was blocked by the firewall egress rules so people couldn't steal data if they got on the machine.
Ignoring the general stupidity of that statement, port 80 was open for HTTP, so I asked him what would happen if I started up an FTP server listening on port 80 instead. His smile gradually faded as his brain processed what I just told him
Blocking file transfers from servers isn't an especially dumb idea; I do it except for a list of exceptions. If you can't stop a server from being compromised, stopping the second stage download is quite handy (been there, got the T-shirts).
Just running on port 80 might not be sufficient; a firewall will need to intercept the control data to open transient ports for the data channel(s) and it probably won't do it by default on tcp/80.
And you're assuming a last generation firewall that won't look at the traffic and decide that ftp isn't allowed on non-default ports.
PROTIP : The brilliant idea of changing the RDP port from default 3389 to something else DOES NOT HELP. A portscan will sniff it out and your ass will see a six-pack whoopass.
Never heard of firewalls with port scan detection and blocking...
The main advantage of using a non-standard port is to separate the grain from the chaff, also Shodan only seems to report the presence of RDP services if they are on the default port...
Slow scanning effectively defeats firewall port scan - if you are scanned below the threshold scan rate for the next few months and combine the results from multiple scanners, it only really defeats the people that are in a rush, pen testers or script kiddies.
Once they find something is open, they can investigate further to try and work out the exact service and OS, maybe even the firewall and any other interesting services on related IP's/ports. Then wait for a vulnerability.
Sure it takes time, but if you're scanning enough targets, your victim pool is significant.
7, partly related to 3...
An experienced IT techie, knowing nicely that it isn't the ideal way of doing things, but limited by budget or customers willingness to just go elsewhere if a simple task can't be achieved in 15 minutes. This is common in small business (who remember make up the majority of the country).
Sure, could stand there and argue.. No, you need a VPN.. No, you need some 2FA.. No, you need a static at home to restrict traffic in-over.. I've said the latter to at least two sites over the last year "to keep things secure" and they still haven't bothered paying BT the extra fiver a month.
These are the same sites where a "CCTV Professional" comes in and gets a Duhua rig going (famous for having cams that turn into botnets), plugs it straight into the LAN and MD gets his feed at home and on his phone. How does the IT person follow that with "you can't do that", we need X.. MD says "It works!" and that's the end of that.
Not best practice - we know - but you can only do so much, and we've got mortgages to pay and families to feed too. You can't lose a customer, just mitigate where you can. Those in solid jobs with a team to deligate too, and a huge budget will pour scorn, but that's how it is.
Because sometimes there are no other choices. There could be a lot of virtual servers on "cloud" systems that may not offer VPN access, especially the cheaper services.
Evidently such systems needs to be patched immediately when vulnerabilities like this arise - you know you take a risk and have to manage it, in this case the risk of being remotely p0wned easily should offset any other risk a patch could introduce.
.. if 30+ years of persistent security problems from MS-DOS 3.30 upwards have not given you a hint that security is exactly not a Microsoft strength, then nothing will.
The arguments why don't matter much, the facts do. If your business depends on Windows, consider every terminal a risk and spend accordingly on security. If you don't, you'll become another statistic.
It's exactly all this work and elevated risk that is carefully kept out of any TCO calculation. If the calculations were indeed done for the Total cost of ownership (i.e. including labour, risk management, lost time, peripheral efforts required to shore up security, resources taken by the incessant patching etc etc etc) the picture would not look so rosy for Microsoft.
Thankfully there is at least the golf course to bypass all that.
... you are probably already p'0wned wholly and thoroughly.
Just look at how many insecure devices around running some flavour of embedded Linux. Sure, the reason is they usually run older, unpatched libraries - which just shows there were vulns there as well - and there will be others, don't worry - or better, be worried and never believe you're secure just because you don't use Windows... I'm quite sure the Equifax server wasn't a Windows one...
If you believe non Windows systems are inherently secure...
... you are probably already p'0wned wholly and thoroughly.
No, but as we were running Windows, MacOS, Linux and a bit of FreeBSD it is not exactly hard to figure out which services and end user stations require the least effort to stay secure. It sure as hell ain't Windows.
All platforms require attention to stay secure, but the amount of work that Windows gave us for no real return simply made no business sense, so we chucked it. Thankfully we could, but I appreciate not everyone is in that position.
Either via sales to people with no competence in the matter they get to decide upon, or sunk investment on a scale that makes it difficult to shift platform.
The former is IMHO root cause for inviting the MS infection, the latter is root cause for sticking with it, with two exceptions.
No other platform has even come close to an answer to Outlook and Excel.
LibreOffice is getting better, but people involved in heavier lifting of numbers in spreadsheets are more efficient on Excel and it has more power too. Fair is fair.
As for Outlook, its ability to combine contacts, calendaring and email into something that now also integrates a few light CRM features has not been replicated in desktop software on any other platform. The only feasible alternatives have been web based which sucks if you're travelling or on a bad conection, but Outlook is probably the firmest lock-in product that Microsoft has, despite it not talking open standards such as caldav and carddav (which, unsurprisingly, prevents people from using something bettr than Exchange).
That said, you can get both on MacOS too.
"The only feasible alternatives have been web based which sucks if you're travelling or on a bad conection, but Outlook is probably the firmest lock-in product that Microsoft has,"
Everything you've said is right, but they seem to be moving away from this with office 365, and I wonder if it'll be part of the downfall
When everyone on Windows has moved to Azure it will be much better, I bet there will be far less security fixes each month.
Microsoft wont have to have these ancient hidden back-doors in their OS for govs anymore, they can just let them login directly to the portal and sniff about your VMs.
I know I'm a bit of an idiot but why do they have to make the patching complicated. Can they please just give me a straight answer to a KB I need to search WSUS for the update.
Clicking the links takes me to various areas with no clear indication of which KB has the patch in it.
What you are asking for is how they used to do it.
It made identifying patches to apply or not apply very granular. Great for admins who care. But, this method required a lot of extra work on the MS side, so now they bundle them all up into one bucket and make you take the lot unless you are using WSUS or SCCM.
It is very frustrating to try and find details on a single patch though. Very obfuscated for some reason.
It's right there in the link in the Reg's article: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
> Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705.
Suppose you are in the NSA. Specifically, the part charged with defense. You know this vulnerability (and quite a few others). You know that this bug disproportionately harms the assets of US- and friendly-based entities.
Do you argue to create a worm to shut down this hole?
What if you are working for a Chinese or North Korean agency? What actions would you advocate on behalf of their mission?
Does the answer to the second question affect the answer to the first?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
