Cybersecurity experts have been sounding alarms for weeks since the disclosure in May of BlueKeep, a vulnerability in older versions of Windows with the potential of exposing systems to a particularly aggressive wave of cyberattacks like ransomware. State and local governments that have not moved off those outmoded operating systems could be at particularly high risk, according to Renaud Deraison, the chief technology officer and a co-founder of the cybersecurity company Tenable.
BlueKeep allows for the unauthorized use of Remote Desktop Protocol, a Microsoft tool that allows systems administrators to access computers remotely, with the power to install programs and alter or delete data. Along with providing an opening for malicious actors, BlueKeep is also “wormable,” meaning that viruses that use the vulnerability can spread to other networked systems.
Upon revealing the BlueKeep vulnerability, Microsoft released patches for some of its older operating systems, including Windows 7 and Windows Server 2008. It even patched Windows Server 2003 and Windows XP, two operating systems Microsoft stopped supporting several years ago. Yet those older operating systems continue to be used by many local governments, making them susceptible in the event of a BlueKeep-based attack, Deraison said.
“Things look pretty bleak,” he said. “If BlueKeep becomes a worm, it’s likely to affect older systems.”
And if that occurs, Deraison said, it could give rise to new ransomware attacks, similar to the WannaCry virus in 2017 that eventually infected more than 200,000 devices around the world. Among the list of WannaCry victims were several state and local governments inside the United States, including Cook County, Illinois; Murfreesboro, Tennessee; and the state of Connecticut.
The spread of the WannaCry virus, which the United States has accused North Korea of perpetrating, netted roughly $100,000 in ransom payments, though the total cost to victims that had to rebuild or replace their affected systems reached as high as $4 billion worldwide, according to some estimates.
Recent reviews of major ransomware attacks in Atlanta and Baltimore found both cities had been running outdated operating systems. In Baltimore, which is still recovering from the RobbinHood ransomware, a risk assessment conducted before September 2017 faulted the city’s IT department for maintaining two servers that collectively supported more than 100 applications on an unspecified version of Windows that was no longer supported by Microsoft. And in Atlanta, a city auditor’s report completed two months before a devastating March 2018 SamSam malware attack found nearly 100 municipal government servers running on Windows Server 2003, which Microsoft cut ties with in 2015.
Deraison said many local governments, even larger ones, install computer systems but then fail to apply patches and security updates, which should cut down the risk of an attack that cripples services.
“The important thing is to monitor the systems and patch them and not [only] put out fires every so often,” he said. “What you see in environments where IT is seen as less critical, you have a lot of initial deployment of new technology and then nobody’s maintaining it.”
Simply throwing money at the problem isn’t enough, Deraison said.
“If local governments spent everything they could today and upgrade to the latest versions of Windows they would still face the same issues, because it’s all about the process,” he said.
Meanwhile, as reported this week by CyberScoop, the cybersecurity community at large is bracing for an onslaught of new attacks making use of the BlueKeep vulnerability.
“Every CISO right now should have a plan already written down to deal with BlueKeep once the exploit starts surfacing,” Craig Williams of Cisco Talos told CyberScoop.
This advanced warning gives potential victims, like local governments, a moment to get smart about the vulnerability,” Deraison said.
“They shouldn’t wait for an actual malware to start patching,” he said. “We tell our customers to use this period where there’s a lot of research going on to start patching their systems. And after that they should have a process in place to make note of known vulnerabilities and deploy patches and whatnot.”