Earlier this month Microsoft released an emergency patch for all versions of Windows, all the way back to Windows XP, due to a zero-day vulnerability which had a very real potential to be another WannaCry.
Now Errata Security reports that while most people have patched their PCs there remains at least 1 million unpatched devices in the wild and that hackers have started scanning for their open ports.
“That means when the worm hits, it’ll likely compromise those million devices,” said Robert Graham, researcher with Errata Security. “This will likely lead to an event as damaging as WannaCry and notPetya from 2017 – potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.”
CVE-2019-0708, now called a more digestible BlueKeep, is a remote code execution flaw in Remote Desktop Services and affects Windows 7, Windows XP, Server 2003 and Server 2008. Microsoft urged administrators to update impacted Windows systems as soon as possible, but not all devices were patched.
“The upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug,” said Graham. “Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.”
Many unpatched devices are PCs integrated with medical and industrial equipment, which tends to be updated rarely.
Several impacted devices include Siemens devices such as radiation oncology products, laboratory diagnostics products, Radiography and Mobile X-ray products and point of care diagnostics products.
“Some of these Siemens Healthineers products are affected by this vulnerability,” said Siemens in an advisory. “Depending on the target system and intent of the attacker, a successful exploit could result in data corruption and potential harm for patients and/or the environment.”
Siemens is releasing an update in June, but in the meantime suggests end-users disable RDP.
Researchers with GreyNoise over the weekend said that they are “observing sweeping tests for systems vulnerable to the RDP ‘BlueKeep’ (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.”
“This [bug] would have the potential of a global WannaCry-level event,” said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday.
Microsoft recommends users patch their systems before the hacker’s hammer falls.