Security Experts:

Over 800,000 Systems Still Vulnerable to BlueKeep Attacks

Users and organizations continue to patch the Windows vulnerability tracked as BlueKeep and CVE-2019-0708, but over 800,000 systems are still exposed to attacks.

BitSight reported on Wednesday that its latest scan, conducted on July 2, showed over 805,000 devices vulnerable to BlueKeep attacks, 167,000 less than it had identified on May 31.

“Assuming a simplistic average this represents an average decrease of 5,224 exposed vulnerable exposed systems per day. By consistently observing individual vulnerable systems that remain exposed to the Internet and then identifying when they’re patched, we can calculate that at minimum an average of 854 vulnerable systems per day are patched. The difference between these two estimates may represent systems which no longer expose the service to the Internet today, or those that are changing IP addresses frequently,” BitSight said.

Errata Security’s Robert Graham, who also conducted a scan in late May and discovered more than 923,000 vulnerable systems, on Wednesday reported seeing roughly 730,000 machines. However, Graham admitted that BitSight’s results are likely more “reliable” than his.

According to BitSight, the telecommunications industry is by far the most affected, with over 30% of companies having exposed vulnerable devices. This sector is followed at a distance by education (6%) and technology (5%). At the other end of the chart we have the legal, insurance and finance sectors. It’s worth noting, however, that at least some progress has been observed across all industries.

“Telecommunications and Education often provide transit services and thus many of the issues affecting those industries are on systems of their customers. Residential networks are included as part of the Telecommunication industry while in Education, the largest group typically represents students,” BitSight explained.

Data collected by the company shows that the highest number of vulnerable systems is in China, followed by the United States. However, these two countries also accounted for the highest number of systems patched between May 31 and July 2.

On the other hand, in countries such as South Korea and Estonia, the number of exposed vulnerable systems has increased by 14% and 32%, respectively.

“While the number of unpatched systems has decreased since May, it’s simply not enough,” Bob Huber, CSO of Tenable, told SecurityWeek. “There is a lot of FUD in the security industry, but that’s not the case here. Organizations and users alike should not brush this off as ‘hype.’ This vulnerability is no joke; BlueKeep has all the makings of becoming the next WannaCry or NotPetya. Patch now before it’s too late.”

BlueKeep impacts the Windows Remote Desktop Services (RDS) and it was addressed by Microsoft in May with patches for Windows 7, Server 2008, XP and Server 2003. The vulnerability is wormable and it can be leveraged by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit. An unauthenticated attacker can leverage the flaw to execute arbitrary code and take control of a device without any user interaction.

Both the DHS and the NSA have issued alerts urging users and organizations to install the patches from Microsoft.

Several companies and researchers have created proof-of-concept (PoC) exploits for BlueKeep, but there are no public reports of attacks exploiting the vulnerability. Many experts think it’s only a matter of time until it’s exploited, and some even believe that it may have already been leveraged by malicious actors, but in more targeted attacks that have not been detected by cybersecurity firms.

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: Microsoft Reminds Users to Patch Wormable 'BlueKeep' Vulnerability

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.