Homeworking and Pandemics: a Practical Analysis on BlueKeep Vulnerability in Spain and Latin America

“It is not the strongest of the species that survives, not the most intelligent that survives. It is the one that is the most adaptable to change”.

Charles Darwin

One of the greatest and most rapid changes in recent human history is this “new normality” caused by the Covid-19 pandemic since it started in March. In this change, most companies had to find a way to maintain their activity at whatever the price, at least as far as possible.

This subject, which is not easy, is critical whenever we talk about technology companies: We see many companies whose previous success and strength have been of no use when having to face the current market or financial scenario. They have gone from the greatest of successes (their previous strength) to the most resounding of failures. Failure to adapt to change can mean being sentenced to death or long agony: let´s recall the case of Nokia, for example, which at the beginning of the century was comfortably established on the hegemonic throne of mobile telephony, both in terms of production and reputation, and nowadays it is no longer what it used to be, after smartphones arrived.

But going back to March of this year 2020, as we were saying, companies in most countries that have suffered lockdowns had to have the means to maintain their activity. And often these urgent processes never consider the necessary protective measures. To a large extent, this adaptation has meant enabling the possibility of homeworking, which it seems has arrived to stay since governments are trying to regulate this type of work. However, as we will show down below, this capacity to manage remotely and/or to enable teleworking has meant a greater number of assets exposed to well-known vulnerabilities.

BlueKeep vulnerability

The study presented here is based on the CVE-2019-0708 vulnerability which is known as “BlueKeep”. A vulnerability of remote code execution in Remote Desktop Services (previously known as Terminal Services) when an unauthenticated attacker connects to the target system via RDP and sends specially designed requests. This remote code execution can mean total control and compromise of the system.

The reason for studying this vulnerability in particular is because the RDP protocol enables easy remote access by simply opening the 3389 port to the desired machine. But each open port, as we know, is an entry vector, especially in the case that basic system protection measures have not been taken. Likewise, it is actually not a recent vulnerability (dating from May 2019) and we must also bear in mind that it affects obsolete Microsoft operating systems: XP, Vista, Windows Server 2008 that are not properly updated.

César Farro has collaborated in this study, and in May last year he published the first exhibition study on “BlueKeep”. Public tools such as masscan and rdpscan, both written by Robert Graham, have been used for this purpose.

The methodology for this work has been simple:

• The IP range for each country has been scanned using public sources where the IPv4 ranges assigned to each are published, such as Lacnic and RIPE.
• The tools described above have been used to analyse whether the asset exposed under the 3389 open port is vulnerable. It should be noted that the analysis is not decisive and there are several undiagnosable assets, which are listed as “unknown”.
• We establish a comparison between January 2020 and August 2020, to compare the number of assets with the open port and to draw conclusions regarding the level of exposure.

Let’s see for example, data in Spain before and after the pandemic:

Taking the percentages as data, we can see a clear evolution:

We can draw the following conclusions for the case of Spain:

• While the number of assets with the 3389 port has almost doubled, the percentage of assets objectively vulnerable to this vulnerability has clearly fallen from 11% to 4% of the assets exposed.
• 3745 devices could still be considered a very high number of easily accessible machines and therefore vulnerable to a security flaw published more than a year ago.
• The increase in cases labelled as unknown is mainly due to a correction of the query methods from unknown IP’s and should be attributed to a better configuration. This can be done, for example, by limiting RDP access to certain IPs, which results in a more secure access.

You can check all the data for the 12 countries under study in the following table:

In summary

The new normality imposed by the pandemic has forced many companies and agencies to enable remote access resources to maintain their business. But like everything has changed, it must be done while maintaining our security strategy to ensure business continuity.

The use of RDP or other remote access methods must always be planned and executed from security by design so that our adaptation to this change is carried out without putting our entity at risk. As a tip, it is a good idea to have our assets properly listed with their corresponding versions of operating systems and software and/or services running, always keeping an eye out for security updates.