Remember the panic that hit organisations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware, says Carey van Vlaanderen, CEO at ESET South Africa.
A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th
The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.
To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.
Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.
The flaw, listed as CVE-2019-0708, affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected. Microsoft also issued special updates for two non-supported versions – namely Windows XP and Windows Server 2003 – which are available via this site. Windows 8 and Windows 10 are not affected by the vulnerability.
Microsoft has not released patches for Windows Vista, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN.
It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.
The BlueKeep case bears a strong resemblance to the events from two years ago. On March 14th, 2017, Microsoft released fixes for a wormable vulnerability in the Server Message Block (SMB) protocol, advising all users to patch their Windows machines immediately.
The reason for this was the EternalBlue exploit – a malicious tool allegedly designed by and stolen from the National Security Agency (NSA) – which targeted the SMB loophole. A month later, EternalBlue leaked online and in a few weeks became the vehicle for the two most damaging cyberattacks in recent history – WannaCry(ptor) and NotPetya (Diskcoder.C).
A similar scenario might unfold with BlueKeep given its wormable nature. Right now, it is only a matter of time until someone publishes a working exploit, or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and a lucrative asset for its originator.
BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.
To sum it up, organisations and users are advised to:
1. Patch, patch, patch. If you or your organisation run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows Server 2003 – for whatever reason – download and apply the patches as soon as possible.
2. Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organisation to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed.
3. Configure RDP properly. If your organisation absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. The security of your remote sessions can be further improved by using multi-factor authentication.
4. Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.”
5. Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level.
AppDate: A security boost for schools
In his latest app round-up, SEAN BACHER features Karri, ChatBack, Charge Running, Bookings Africa and HomeChoice.
With large amounts of cash and very little security, schools are now becoming an easy target for criminals. Numerous schools across the country have already been raided, with several serious incidents and even fatalities.
In partnership with Nedbank, Karri has introduced a mobile payment app to address this growing problem. The app enables parents to send money securely to their child’s school. Hundreds of schools countrywide are using Karri, with most now refusing to accept cash payments from parents.
The app offers a simple alternative to children bringing cash to school by allowing parents to make payments via an app on their smartphone. It is free for parents to use and there are no hidden costs or sign-up fees for the school.
Platform: Android and iOS
Expect to pay: A free download
Stockists: Visit Karri here for downloading instructions.
Visit the next page to read more about ChatBack, Charge Running, Bookings Africa and HomeChoice.
ParkUpp is here to sell your unused parking spot
Prop-tech startup ParkUpp is helping residents and property owners to make some extra cash from their unused parking. This is proving to be a winner for JanuWorry, the month that often brings financial stress post the December holidays for many individuals and businesses across South Africa.
ParkUpp already has over 4500 listings on its platform, predominantly in Johannesburg and Cape Town. They include The Union Castle building owned by Izandla Properties, Design Quarter on William Nicol Drive, along with other commercial and residential parking facilities.
The app has also been awarded some accolades from property industry incumbents such as the Women’s Property Network (WPN) for Young Achiever’s category and South African Institute of Black Property Professionals (SAIBPP) for Disruptor of the Year. Also headed to Silicon Valley for a two week bootcamp with Kingson Capital, a South African based Venture Capital firm.
This award winning platform not only creates extra income from empty parking spaces, it also decreases drivers’ anxiety of parking in unsafe space and also saves them a buck. In the Cape Town CBD, with over 45% cars parked on-street: paying an average of R18/hour, amounting to R2880 a month, ParkUpp users are able to save up to 50% by renting out a parking for R1500.
ParkUpp co-founder Michael Savvides says home owners or businesses often get frustrated when they find someone illegally parked in their bay. “Instead of being frustrated, list your parking during the times it is unused for people to park in your space legally. No one really wants to knock on someone’s door to ask for parking so our platform is removing that uncomfortable feeling.”
“We create trust between owners and drivers through our vetting processes. We save drivers 50% on parking costs and generate extra income for the owners and we also provide access to spaces that were previously inaccessible,” he explains.
“Our current focus is to increase occupancy rate for the listing parking bays, businesses and individuals who need parking can visit the platform to make a booking or suggest a location where you need parking,” he concludes.
As a driver, should you not find your preferred parking, email the team with suggested locations at firstname.lastname@example.org in order for them to find you safe, secure and affordable parking for you.