BlueDoom – You Should Be Concerned

Right on the heels of the WannaCry ransomware infestations comes a new worm called BlueDoom. This worm was caught in a honeypot, and it uses the Eternal Blue exploit the NSA developed—and a hacker group called The Shadow Brokers stole.  Similarities to Conficker from 2008 abound. The BlueDoom exploit appears to have weaponized all the exploits in EternalBlue and poses a big risk as a launch pad for future attacks. The payload includes a Command and Control (C&C) communication channel where it receives a second stage payload.  As of 6:00 a.m. ET on Friday, May 19, 2017, about half of the AV providers correctly identify and block BlueDoom. Only about 25 percent of major AV products identify the second stage.

This worm has very strong persistence capabilities and would be very difficult to remove from a Windows-based OS without reimaging the system. It is a Windows-specific worm that will not infect Linux or Mac systems.  

BlueDoom is proof again of the importance of not relying on any one security control. With WannaCry it took several days until the AV vendors could consistently detect and block the rapidly spreading ransomware. New variants like Adylkuzz and BlueDoom, which are both using the EternalBlue and other SMB vulnerabilities leaked by The Shadow Brokers, take time to detect properly, resulting in many machines being infected globally before AV alone can be an effective measure to prevent infection.

After a machine is infected, the recommendation from many security experts is to re-provision the system and then restore from a known good backup. It is the only way you can be sure you have properly cleaned everything off. That being the case, you need to stop nasty malware like BlueDoom and WannaCry before it gets a foothold in your environment.

Ivanti’s Recommended Defense-in-Depth Strategy

  • Application control protects against zero days, ransomware, and untrusted software. A properly implemented whitelist would have prevented WannaCry and BlueDoom from infecting a machine altogether.
  • Patch and vulnerability management reduces the attack surface significantly—much of which is made up of software. Not all attacks will use a software vulnerability to get into a system, but many will. User-targeted vulnerabilities in browsers, media products like Flash and Reader, Office products, and OS vulnerabilities allow threats to enter an environment through phishing attempts, malicious websites, and so on. Vulnerabilities like the various Eternal Blue SMB exploits allow malware to rapidly spread, which is giving BlueDoom and WannaCry their nasty wormlike capabilities. 
  • Privilege management reduces what attackers can do once they’ve compromised a system. It limits their toolkit once they are on a system and reduces pivot or lateral movement through an organization.
  • Antivirus software and Endpoint Protection Platforms (EPPs) detect and stop bad behavior or known malicious files. They’re very effective once they know the patterns or signatures to detect, but they often leave a breach window early on, as we saw with the BlueDoom and WannaCry cyberattacks. 
  • User training is a very important part of any security strategy. If you do not train your users, you’re going to have more incidents to deal with. Regular user training will not stop cyber threats altogether, but it will help reduce how many people fall prey to things like phishing attacks, which are a common entry point into an environment. 

The most important takeaway from this series of cyber attacks is that cybersecurity is an ongoing effort.  WannaCry may be winding down, but new threats have already risen to take its place, and they look even more threatening. Our recommendations for immediate action are:

1. Patch the SMB vulnerabilities ASAP!! No more delaying. You either need to patch or disable SMB. And if you disable SMB, you’re probably causing the same level of disruption you’ve been trying to avoid by patching it.

  • For Windows 10 you can push any of the cumulative updates since March.
  • For Windows 7, 8.1, Server 2008, 2008 R2, 2012, and 2012 R2 you can push the Security Only or Cumulative Rollup for March, April, or May.
  • For those of you still running legacy systems like XP or Server 2003, Microsoft has released the MS17-010 update for those platforms as well. Ivanti has added them to our catalogs for our proprietary solutions and for our SCCM catalog.
  • If you are not using an Ivanti product today and are struggling to roll these updates out, you can take advantage of our free Get Well Quick offer.  From now until June 15th we are offering a 90-day full license of our patch solutions to help the global community reduce the propagation of these cyber attacks.

2. Review your security strategy. Determine what additional security measures you can implement to achieve a more resilient\secure environment.

  • Application control
  • Privilege management
  • User education
  • URL defense
  • Backup and restore capabilities to recover from cyber attacks
  • Secure Incident Response and Risk Management modules (integrate them into your service management processes)
  • Discovery services\Secure Asset Management (to ensure you’re able to find unmanaged devices and software on your network—because you can’t secure what you don’t know about.)

Chris Goettl

Chris Goettl has over 15 years of experience in IT Management. He spent several years working in IT before joining Shavlik in 2004. Chris started in the Shavlik support team, supported OEM partners integrating Shavlik SDK's, worked in Sales as a Systems Engineer, and is now the Product Manager for the Shavlik Protect product line.