Need assistance? Call 603-862-4242
On May 14, 2019, Microsoft announced a zero-day vulnerability impacting some computers with older Microsoft operating systems called BlueKeep along with patches to address the vulnerability. BlueKeep has the potential to be very dangerous as it allows an unauthorized user to connect to and control a vulnerable device, like a desktop or a laptop, without the involvement or knowledge of the device’s user. This capability means that an attack exploiting this vulnerability is “wormable” and, once it gets inside a network, it can spread to any vulnerable computer or server in that network on its own.
For reference, the last publicly announced zero-day vulnerability with this kind of capability was BlueEternal, in March 2017. This vulnerability was exploited in the WannaCry and NotPetya global ransomware attacks launched later that year that crippled organizations like the UK’s National Health Service, shipping giant Maersk, and US pharmaceutical company Merck & Co.
BlueKeep only affects older versions of Windows including Windows 7, Vista, and XP and Windows Server 2008, 2008 r2 and older. This limits the number of devices on campus that can be impacted by the vulnerability.
BlueKeep requires the use of a specific protocol called RDP. UNH IT currently blocks external RDP traffic from entering the UNH network which provides protects UNH from external attacks launched against on-campus resources.
As the UNH user community regularly utilizes devices both on and off campus, there is a risk that an unpatched device could be compromised while connected to a non-UNH network and, on reconnection, enable a BlueKeep based attack to gain a foothold inside the UNH network.
Work completed since the BlueKeep announcement by Information Security Services (ISS), UNH IT, and the campus IT support teams decreased the potential impact of a BlueKeep attack by reducing the number of known potentially vulnerable devices from about 2,200 to under 400.
However, due to the following factors, a significant risk to the campus computing environment and University operations remains:
It is important to note that even with the actions outlined in the Remediation Plan below, there will still be vulnerable devices connecting to the UNH Network. These devices include any that UNH IT could not identify as potentially vulnerable and any vulnerable device that connects to the UNH network for the first time. The risk of a compromised device, UNH-owned or personal, connecting to the UNH network compromising other vulnerable devices on our network will still exist.
Additionally, the increasing threat of cyber-attacks by nation-state actors) increases the likelihood of destructive cyber-attacks being launched against US targets and BlueKeep provides a mechanism to perpetuate that kind of attack. (see CISA Alert re: Iranian Cyber Activity)
While it is unlikely UNH would be a direct target of this kind of malicious activity, history indicates that “wormable” cyber-attacks can spread well beyond the intended target.
Since we cannot eliminate the risk of a BlueKeep attack, our best option to protect University resources and operations is to reduce the risk, to the extent possible, by ensuring that every known potentially vulnerable device is patched before any BlueKeep attacks occur.
Over the past 8 weeks, ISS, UNH IT, and the campus IT support teams have worked together to:
These efforts resulted in a decrease of 1,800 known vulnerable devices mentioned above.
While the continuation of these efforts is likely to continue reducing this number, time is not on our side. Alerts distributed in recent weeks by the National Security Agency (NSA), the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), US CERT, and Microsoft indicate that the window to protect against a BlueKeep attack is closing.
To that end, beginning on Wednesday, July 10th the following actions will be taken to address the remaining 400 known potentially vulnerable devices as well as any potentially vulnerable devices identified in the coming weeks.
Note: At this time, “automated management” of these devices by ConfigMgr will only involve applying Windows operating system updates and other critical security patches.