Security Alert: BlueKeep Campus-Wide Remediation Actions

July 9, 2019

by UNH Information Security Services

Overview

On May 14, 2019, Microsoft announced a zero-day vulnerability impacting some computers with older Microsoft operating systems called BlueKeep along with patches to address the vulnerability. BlueKeep has the potential to be very dangerous as it allows an unauthorized user to connect to and control a vulnerable device, like a desktop or a laptop, without the involvement or knowledge of the device’s user.  This capability means that an attack exploiting this vulnerability is “wormable” and, once it gets inside a network, it can spread to any vulnerable computer or server in that network on its own. 

For reference, the last publicly announced zero-day vulnerability with this kind of capability was BlueEternal, in March 2017.  This vulnerability was exploited in the WannaCry and NotPetya global ransomware attacks launched later that year that crippled organizations like the UK’s National Health Service, shipping giant Maersk, and US pharmaceutical company Merck & Co.

Risk Assessment

BlueKeep only affects older versions of Windows including Windows 7, Vista, and XP and Windows Server 2008, 2008 r2 and older.  This limits the number of devices on campus that can be impacted by the vulnerability. 

BlueKeep requires the use of a specific protocol called RDP.  UNH IT currently blocks external RDP traffic from entering the UNH network which provides protects UNH from external attacks launched against on-campus resources. 

As the UNH user community regularly utilizes devices both on and off campus, there is a risk that an unpatched device could be compromised while connected to a non-UNH network and, on reconnection, enable a BlueKeep based attack to gain a foothold inside the UNH network. 

Work completed since the BlueKeep announcement by Information Security Services (ISS), UNH IT, and the campus IT support teams decreased the potential impact of a BlueKeep attack by reducing the number of known potentially vulnerable devices from about 2,200 to under 400. 

However, due to the following factors, a significant risk to the campus computing environment and University operations remains:

  1. UNH does not mandate the management of institutional devices, which means:

    1. We cannot identify all potentially vulnerable devices connecting to our network
    2. We cannot confirm that known potentially vulnerable devices have been patched
    3. We cannot force updates on known vulnerable devices
  2. UNH provides a BYOD environment which means:
    1. anyone can connect any device to our network if they are on-campus
    2. any user with UNH credentials can connect any device to our network from off-campus via the VPN

It is important to note that even with the actions outlined in the Remediation Plan below, there will still be vulnerable devices connecting to the UNH Network.  These devices include any that UNH IT could not identify as potentially vulnerable and any vulnerable device that connects to the UNH network for the first time.  The risk of a compromised device, UNH-owned or personal, connecting to the UNH network compromising other vulnerable devices on our network will still exist. 

Additionally, the increasing threat of cyber-attacks by nation-state actors) increases the likelihood of destructive cyber-attacks being launched against US targets and BlueKeep provides a mechanism to perpetuate that kind of attack.  (see CISA Alert re: Iranian Cyber Activity) 

While it is unlikely UNH would be a direct target of this kind of malicious activity, history indicates that “wormable” cyber-attacks can spread well beyond the intended target.  

Remediation Plan

Since we cannot eliminate the risk of a BlueKeep attack, our best option to protect University resources and operations is to reduce the risk, to the extent possible, by ensuring that every known potentially vulnerable device is patched before any BlueKeep attacks occur.

Over the past 8 weeks, ISS, UNH IT, and the campus IT support teams have worked together to:

  1. Identify potentially vulnerable computers and servers connected to or that have recently connected to the UNH network.
  2. Determine if the identified devices are 1) still in use and 2) if so, patched.
  3. Patch unpatched devices.

These efforts resulted in a decrease of 1,800 known vulnerable devices mentioned above. 

While the continuation of these efforts is likely to continue reducing this number, time is not on our side.  Alerts distributed in recent weeks by the National Security Agency (NSA), the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), US CERT, and Microsoft indicate that the window to protect against a BlueKeep attack is closing. 

To that end, beginning on Wednesday, July 10th the following actions will be taken to address the remaining 400 known potentially vulnerable devices as well as any potentially vulnerable devices identified in the coming weeks.

  1. Where possible, quarantine these devices. Quarantined devices:

    1. have limited network connectivity and are segregated from the UNH network
    2. display a message alerting the user to the quarantine that provides instructions on how to get the device out of quarantine
  2. When a quarantine is not possible:
    1. Automatically enroll devices in ConfigurationManager (ConfigMgr), the service provided by UNH IT that allows for automated management of Windows computers.  

      1. Once enrolled, ConfigMgr will take over management of the device the next time the device is restarted
      2. On a managed device, UNH IT can 1) confirm the device patch status and 2) push patches to the device, if needed
    2. Block the device from accessing the VPN.

Note: At this time, “automated management” of these devices by ConfigMgr will only involve applying Windows operating system updates and other critical security patches.

Remediation Instructions
Resources

 

Bookmark and Share

Archive