In the middle of May, Microsoft announced that a vulnerability, called BlueKeep, had been discovered in Windows XP, Windows 7 and other older Windows systems. At the time, Microsoft launched a patch to protect its users against this remote code execution vulnerability in the Remote Desktop Services. This vulnerability was estimated to affect over a million users.
At the end of July, Rapid7 reported a significant uptick in malicious RDP activity since the discovery of BlueKeep. What’s more, it points out that there is at least one known, workable, commercial exploit for this vulnerability.
Bad times for RDP connections
Last week, Microsoft announced that it had discovered four new vulnerabilities in Remote Desktop Services. CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226. Like BlueKeep, these vulnerabilities are wormable. That means that a piece of malware that exploited these vulnerabilities could spread among vulnerable computers with no user intervention.
The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all compatible versions of Windows 10, including server versions. Microsoft adds that there is no evidence that any third parties have knowledge of these vulnerabilities.
Microsoft explains that systems with Network Level Authentication (NLA) activated are partially protected, since NLA requires authentication before the vulnerability can be triggered. However, these systems are still vulnerable to remote code execution if the attacker has valid credentials that can be used for authentication.
It is estimated that these vulnerabilities could affect as many as 800 million users.
How to protect against RDP vulnerabilities
As with all vulnerabilities, the fundamental step in protecting against these is to apply the relevant patches as soon as possible. Microsoft already launched patches for the four new vulnerabilities(CVE-2019-1181; CVE-2019-1182; CVE-2019-1222; CVE-2019-1226).
Patches are a vital security measure that can stop a large number of cyberthreats before they can cause any damage. In fact, according to a study, 57% of companies that suffered a breach said that this was made possible by a vulnerability for which a patch already existed.
To streamline the task of searching for and applying patches for your systems, Panda Adaptive Defense has the module Panda Patch Management. Patch Management audits, monitors, and prioritizes updates on operating systems and applications. In exploit and malicious program detections, it notifies you of pending patches. Installations are launched immediately, or scheduled from the console, isolating the computer if needed. This way, you’ll be able to manage the patches needed for your company, without having to invest more time or resources in it. And you’ll complete your protection system in order to shield your assets.
Another important measure is to protect the RDP connection by removing it from direct Internet connections with a VPN, or even reconsidering if it is really necessary to activate it.