New Remote Desktop Services Exploits Are On The Horizon
It was just recently that on the occasion of a recently discovered security gap in remote desktop services, Microsoft reacted and published an update to ward off the threat. Customers were urgently advised to protect themselves by installing a critical update, as unprotected systems are exposed to an acute risk of malware. Experts warned of the risk of a new virus pandemic in remote desktop services and before you know it a new threat is here. But first lets recap what took place in 2019 in the case of Microsoft remote desktop services and what has happened recently.
The Most Famous threat in Remote Desktop Services of 2019
The discovered security gap CVE-2019-0708 called that earned the title "BlueKeep" affected the Remote Desktop Protocol (RDP). Remote desktop technology enables remote access to another end device via a network. The security hole used to be abused by sending special requests to remote desktop services of the target systems. An unauthenticated attacker who successfully exploited the existing security gap could then install programs and display, change or delete data without user interaction. A Microsoft windows update addressed the vulnerability by correcting the way that remote desktop services process’ connection requests.
The security gap used to be attractive to hackers because a worm that had attacked a vulnerable system could automatically spread to other PCs. This meant that computers that are not directly accessible via the Internet could also be infected. Companies that wanted to protect sensitive systems by allegedly decoupling them from the rest of the network could be hit particularly hard. Even if Microsoft had not yet identified a specific threat, the company was certain that a corresponding exploit already existed.
The good news was that older Windows systems such as Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008 are said to be primarily affected by the vulnerability. The number of endangered systems also had to be corrected from initially 7.6 million to around 1 million vulnerable PCs.
How seriously the risk was taken among experts could be seen from the fact that the NSA has now also called for the update to the remote desktop services to be installed.
A New Virus Pandemic Was Foreseen By Experts
Various incidents in previous years have shown that the risk posed by unsealed security gaps must be taken seriously. So-called ransomware in particular poses a danger that should not be underestimated: These are cases in which malicious programs encrypt files and the user is forced to pay money if he wants to regain access to his files or even prevent them from being lost completely. In 2017, ransomware became more of a public interest due to large-scale attacks with the so-called WannaCry worm and the Petya blackmail Trojan. The damage that occurred at the time was considerable: Hundreds of thousands of users were affected by the attacks, including many famous and prestigious companies operating worldwide. The WannaCry attack alone is said to have caused damage of 4 billion US dollars worldwide. Recourse to those responsible is almost impossible, because the perpetrators are regularly abroad. The United States even suspected North Korea and Russia behind the attacks in 2017. Further attacks are not excluded. Rather, individual attacks are constantly taking place affecting the remote desktop services, but they are seldom noticed in public.
In view of this threat situation, it is generally advisable to take preventive action.
A New Threat Has Surfaced
For the second time within a short period of time, Microsoft reports that particularly dangerous security gaps have been found in the Windows Remote Desktop Services. In a blog post by the Microsoft security team, these are referred to as "wormable", which means they could be used for a malware worm that spreads itself more and more over the Internet.
Microsoft apparently found the security gaps because the remote desktop service was subjected to a detailed analysis after the Bluekeep gap. The gaps were therefore not discovered by external security researchers. According to Microsoft, there is no evidence that anyone outside of Microsoft knew of the vulnerabilities.
With Bluekeep, there has been a lot of speculation about when an exploit would be available that practically took advantage of the vulnerability. Some people said they had developed exploits, and some companies also sell them. So far, however, there is no publicly available exploit; the development is comparatively complex.
It can be assumed that there will be massive attacks on Windows systems connected to the Internet as soon as a corresponding exploit becomes public. This applies to both the older Bluekeep gap and the Dejablue gaps that have now been discovered.
Measures For Effective Protection
In addition to the protection provided by installing the update, further security measures are recommended. If remote desktop services are not used, deactivation can already provide protection. This note can also be applied to other unused functions. Functions that are switched off generally reduce the security risk, since they cannot be used to attack a system. In the present case, we also recommend blocking TCP port 3389 in the firewall and activating Network Level Authentication (NLA). The latter means that attackers must have credentials before they can access remote code.
However, absolute protection beyond closing the current security gap is not possible. It is almost certain that more security holes will emerge that could be exploited by attackers. It is advisable to carefully follow the recommendations of software manufacturers and the instructions from the security authorities, also a check for the existence of new updates should be carried out regularly.
Failure to provide protection has serious consequences
It is evident that taking suitable measures is in the company's own interests. Because the potential damage is disproportionate to the effort to protect the systems by installing the update.
Protection against malware should also be recommended to companies and private users in order not to expose themselves to claims from third parties. If those affected may initially be victims of an attack themselves, it cannot be ruled out that third parties will assert claims because their data is at risk. In particular, tortious claims, for example due to violations of data protection rules, are conceivable. In addition to the damage caused by the attack, this could result in further stress for those affected. Under which circumstances a company should be charged with a violation has not yet been conclusively regulated. It is also unclear in this context whether companies can be required to protect themselves beyond the installation of software updates. Precisely because of this unclear and open legal situation, it is advisable to exercise caution and to exercise an increased degree of care when observing IT security obligations.
Recourse to perpetrators has not yet been successful. The result is the growing number of cyber insurances that offer protection in the event of an attack. To what extent and under what conditions these will be responsible for damage will depend heavily on the individual case. In this context, the US food company Mondelez had sued its insurer Zurich in the USA. Zurich had refused to accept damage caused by Mondelez as a result of the Petya attack. Mondelez is now demanding $ 100 million in damages. Zurich rejected claims for compensation for the damage sustained in the attack on the grounds that it was a "hostile or armed act".
It is to be welcomed that the current gap was verified and closed in good time. For their part, Microsoft remote desktop services customers should help protect themselves by installing the update. Because the risk of a virus pandemic is still topical. A vigilant follow-up of information from software developers and security authorities is essential for consistent protection. You can also use thrid-party software to protect yourself from attacks such as Sunfirewall or others. In this trying times the burden of protecting your company or network that run remote desktop services falls on you and so it should be taken seriously.