Keeping BlueKeep Away: What Every Healthcare Organization Needs To Know To Mitigate the Risk
By Chris Goettl, director of product management, security, Ivanti.
The first months of 2019 have seen a record number of reported security vulnerabilities. But potentially the riskiest, is BlueKeep. BlueKeep is a vulnerability (CVE-2019-0708) that affects Windows 7, Windows XP, Server 2003, 2008 and 2008 R2, which many feel will be exploited soon.
The concern has been so great that Microsoft has issued public updates, even for the no-longer-supported XP and Server 2003 operating systems, and has been very active in issuing warnings to apply the fixes right away. Some may even say that Microsoft has been uncharacteristically begging everyone to apply the necessary fixes. The NSA too has issued an advisory and news article warning to fix this immediately.
Why is this so important for healthcare organizations? It’s been reported that “70 percent of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020.” This is a greenfield opportunity for the perpetrators of BlueKeep to expose health records and personally identifiable information (PII), presenting monumental, potential risk.
How does it work? BlueKeep is considered a ‘wormable’ vulnerability because it does not require authentication or user interaction to exploit. As such, the worm can spread from system to system taking advantage of the vulnerability.
Numerous possibilities exist for a wormable exploit like BlueKeep. For example, if it uses something like Emotet, a more sophisticated malware platform, a piece of malware could get onto a system and have the potential of making intelligent decisions about what it should do next. It could then automate those steps and adapt to its environment.
Or, what if BlueKeep finds its way on to somebody’s home computer? In that case it’s probably going to just sit back and grab any email exchanges that are going on, scrape some email addresses, and try to spam itself out to spread itself further.
However, if it got into a hospital’s network it could switch into ransomware mode – creating perhaps an even more damaging version of WannaCry – holding critical and even life-saving information hostage.
For perspective, the WannaCry attack of 2017 was reported to cost as much as $4 billion, making it one of the most costly ransomware attacks to ever hit our global economy. The fact that six security firms have independently reached successful exploit of BlueKeep makes it pretty likely that a weaponized version of BlueKeep may be a lot more real than some of the other recent threats. Even though nobody has detected an attack “in the wild” yet, it’s only a matter of time before the first attacks occur. Bleeping Computer confirms private MetaSploit modules have already been developed for demonstration.
So, what needs to be done to keep BlueKeep away? Follow these three important steps:
- Leverage a comprehensive asset management solution to ensure that you have full visibility into any and all legacy systems that may have one of the vulnerable operating systems. It only takes one system that remains unpatched to expose your network. Don’t let any system slip through the cracks.
- Immediately apply the latest updates to all of your legacy systems before BlueKeep hits the streets. You don’t want to get an ‘I told you so!’ from your incident response and security team.
- Minimize the impact on your IT teams through automation. With the latest versions of MS SCCM not supporting Windows XP and Server 2003, the job of applying patches can be a bit more difficult. But it doesn’t necessarily mean that you must perform your patching manually. You can patch up to 50 systems including Windows XP and Server 2003 by accessing this free 60-day license to Ivanti Security Controls here.
For those who have not patched BlueKeep yet, it is only a matter of time before the first malicious exploit is distributed. You can be sure that healthcare organizations will be at the top of the target list. Be prepared and apply fixes today. Cyber adversaries are likely reverse engineering the patch as you read this, getting ready to exploit organizations and individuals alike. Let’s work together to avoid a potential repeat of WannaCry.