On May 14, 2019, Microsoft issued a patch to correct a ‘wormable’ vulnerability in Windows, which is identical to the vulnerability that attackers exploited in the May 2017 WannaCry ransomware attacks.
The vulnerability involved a remote code execution in Remote Desktop Services – previously Terminal Services – that could be exploited through RDP.
The CVE-2019-0708 vulnerability could be exploited by sending specially created requests through RDP to a vulnerable network. Authentication is not necessary and the vulnerability could be taken advantage of even without user interaction.
If taken advantage of, malware can pass on from one compromised computer to other vulnerable computers connected in a network. If the attacker uses ransomware to exploit the vulnerability, healthcare companies can encounter extensive file encryption and serious interruption to operations.
Microsoft did not receive any report that indicate the active exploitation of a vulnerability at this time. However, it is pretty much sure that exploits are going to be made for the vulnerability and integrated into malware.
The vulnerability does not affect Windows 8 and Windows 10, just the earlier versions of Windows. Nonetheless, it is the healthcare industry’s concern as a lot of healthcare companies are still utilizing earlier, vulnerable operating systems.
There are patches for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The vulnerability is quite serious so Microsoft took the unusual step of releasing patches for Windows XP and Windows 2003, even if the two operating systems are not supported any more.
There is a workaround for all companies that utilize the operating systems mentioned above, but can’t use the patch. In such instances, TCP port 3389 ought to be blocked and Network Level Authentication must be activated to stop the exploitation of the vulnerability. Considering the speed of exploiting the vulnerabilities as soon as a patch is released, it is crucial to implement the patch right away.
Slow patching was the reason for the success of the 2017 WannaCry attacks. Clearly, many organizations did not apply patches quickly, including those that deal with serious and actively exploited flaws.
The WannaCry attacks happened in May 2017 despite the fact that the patch (MS17-010) for the flaw was available since March. If only the patch was used promptly, the attacks could have been avoided.
WannaCry badly affected the UK’s National Health Service (NHS), affecting about 33% of all NHS Trusts as well as 8% of GP practices. The attacks caused NHS to lose approximately £92 million and cancel 19,000 appointments. The WannaCry resulted to a global cost of approximately $4 billion.
CVE-2019-0708 could be further exploited with results a lot worse than WannaCry. It is likely that the next malware variant created will not have an easy kill switch like WannaCry.
Besides the wormable vulnerability, there are 21 more critical flaws that Microsoft has addressed, including one which is actively exploited and one more that was announced publicly before releasing a patch. Patches were also released to deal with a new type of flaw in Intel processors. Flaws in Microarchitectural Data Sampling (MDS) could enable a threat actor to release malware that could get sensitive information from virtual machines, applications, trusted execution environments and operating systems.