Well, here’s something you don’t see every day: the National Security Agency (NSA) recently issued a news release urging Microsoft Windows administrators and users to ensure they are using a patched and updated system.
This is on the heels of Microsoft releasing fixes for a critical remote code execution vulnerability known as BlueKeep (CVE-2019-0708) that affects some older versions of Windows. According to Microsoft, the flaw is potentially “wormable,” which would allow the vulnerability to spread across the internet without any action on the part of the user, similar to how the WannaCry malware spread in 2017.
The NSA explains, “this is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability.”
“NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
To say this is a rare warning is an understatement. A search for “patch” on the NSA’s news section only turns up this article. The NSA is not typically in the business of telling people to patch their computers. In fact, the NSA has a bit of history keeping vulnerabilities to themselves and developing exploits to take advantage of what they found. That even they’re urging people to update their computers means not only that this exploit is troublesome, but that they may have insight into an imminent attack or have accidentally let another exploit they developed into the wild.
What to Do Now
First, apply Microsoft’s patches from May 14th immediately. Then consider the specific recommendations provided by the NSA on how organizations can protect themselves against Remote Desktop Protocol (RDP) attacks:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
- Enable network-level authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
- Disable remote desktop services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Stay Safe With SOC-as-a-Service
Of course, you can’t always wait for spy agencies to give you the heads up about potential risks. To keep up with today’s cyberthreats, companies need a security operations center (SOC)-as-a-service like Arctic Wolf to provide comprehensive managed detection and response, 24/7 monitoring, vulnerability assessment and threat analysis, and incident response.
Arctic Wolf can help you stay on top of patches and improve your overall security posture so that you don’t have to wait for the NSA to tell you when a big threat comes along.
Discover how small to midsize enterprises can gain access to the required people, process, and technology that make up SOC-as-a-service by downloading the Definitive Guide to SOC-as-a-Service.