Reports indicate that a researcher has successfully created remotely exploit code for the BlueKeep RDP vulnerability [1]. In the past, one researcher’s success has been reliably followed by other teams creating similar code. With the BlueKeep vulnerability, once remote exploitation code becomes available it could be used to create an automatically spreading virus, or worm.
It is likely that the pattern we saw with EternalBlue, a similar bug from 2017, where destructive worms were created could be followed here. While WannaCry was the most famous resulting worm, the subsequent NotPetya worm showed a potentially more concerning pattern where automatic spreading through EternalBlue was augmented with other lateral movement techniques. This allowed NotPetya to enter networks through vulnerable hosts and then rapidly compromise and destroy hosts not vulnerable to EternalBlue through the use of these lateral movement techniques.
In order to avoid the outbreak of a network worm targeting BlueKeep at Penn, OIS is planning to issue disconnect notices for Internet exposed hosts vulnerable to BlueKeep as they represent an imminent threat of harm to PennNet, as described in the Policy on Computer Disconnection from PennNet [2].
OIS has completed a updated campus-wide scan of hosts listening on RDP and dispatched to responsible LSPs a list of their hosts vulnerable to BlueKeep. OIS has also automated the scanning of and alerting on hosts vulnerable to BlueKeep, to provide on-going detection of the vulnerablility. Going forward, when a vulnerable host is found, a notification will be sent from our ticketing system in the same manner that we have for notifying about compromised hosts.
After LSPs receive a notification of a host vulnerable to BlueKeep, they will have two business days to patch that system. After that, if the system remains unpatched, we will request that ISC Networking disconnect the host from the network.
Thank you for working to keep PennNet hosts safe.