Severe BlueKeep flaw still plaguing outdated connected medical devices

Despite Microsoft releasing a patch for the 2019 BlueKeep Vulnerability, CyberMDX dicovered, 22% of hospital Windows devices are still exposed to BlueKeep. This puts medical devices at a much higher risk for BlueKeep and ultimately ransomware.

In May of 2019, Microsoft released a patch for a vulnerability known as BlueKeep. BlueKeep exploits the widely used Microsoft Remote Desktop Protocol by allowing remote control administration of an endpoint. It is interesting to note that the vulnerability was so critical, Microsoft also released a patch for it on systems they no longer supported, and the NSA also urged system administrators to immediately apply it.

Yet, here we are almost a year later and BlueKeep is still making headlines. Researchers from security company CyberMDX, estimate that 22% of hospital Windows devices are still exposed to BlueKeep. Additionally, 45% of connected medical devices run on Windows. What does this mean for healthcare organizations? The big picture is that hospitals, clinics, and doctors’ offices are at a higher risk for ransomware because BlueKeep is commonly used as a vector to deliver ransomware.

Ransomware prevents users from accessing any systems until they pay a set ransom. Thereby completely bringing down healthcare operations. Cybersecurity Ventures, a security firm, estimates that, globally, every 11 seconds a business will fall to ransomware. Moreover, statistics show the healthcare sector is disproportionately affected by BlueKeep because the majority of hospitals still rely on archaic operating systems like WindowsXP and Windows7. The enormous number of unpatched medical devices put healthcare organizations at a significantly higher risk for contracting BlueKeep.


Healthcare and the vicious BlueKeep Cycle

As cybercriminals weaponize BlueKeep to deliver ransomware, the ramifications are scary. For one, the fiscal insinuations from ransomware have led it to be placed onto budget sheets and disaster recovery plans. This is in part because paying the actual ransom can be costly because threat actors often mandate ransom be paid in untraceable formats such as cryptocurrency. Unfortunately, even when paid an organization is still not guaranteed control of its systems because there are simply no absolutes when negotiating with cybercriminals. Furthermore, the costs to fully recover after a ransomware attack are not just limited to the actual payment.  Experts at Vason Bourne, an enterprise technology research company, found that it takes roughly 33 hours for an organization to recover from a ransomware attack. Additionally, the revenue lost from downtime, the costs to restore systems and inherent reputational damage make ransomware a particularly high-risk problem.

From a healthcare perspective, the irreplaceable data contained on health monitoring devices is vital to the organization. This forces hospitals to conform with a cybercriminals every demand. Herein lies the BlueKeep cycle. Healthcare organizations are more susceptible to BlueKeep because they operate with unpatched medical devices. These medical devices remain unpatched because they are critical to achieving the objective of treating patients. However, if BlueKeep is to successfully exploit a vulnerable device such as a heart monitor, it could replicate itself across a network. Thus, act as an attack vector for ransomware. In this case, a ransomware attack could easily bring a hospital to its knees, thus, guaranteeing the ransom is paid. This payment can then be channeled to fund nation-states, human trafficking or other sinister activities. Ultimately, encouraging cybercriminals to target sectors such as hospitals who run obsolete systems.


The failure to patch can have deadly consequences

Beyond monetary and reputational concerns lies the apprehension for human life. Ransomware has caused hospitals to temporarily stop treating patients, making it a rather devastating attack. The very nature of treating patients in order to save or improve lives has subsequently contributed to the pushback of necessary patches. Patches are put on the back burner because there is no tolerance for downtime when patient life is at stake. This can be completely rational as one would not want to see the blue screen of death on the respirator keeping them alive nor provoke a malfunction that is invisible until it is too late. However, it is this mindset that has placed healthcare organizations in an increasingly vulnerable state for ransomware when compared to other industries. By its nature as a network protocol vulnerability, BlueKeep is a worm that lends itself to propagate ransomware attacks. It bypasses any need for human extortion like traditional email attached ransomware links and instead can reproduce itself across a network.

The combination of unpatched systems, low tolerance for downtime, lack of critical system redundancy and irreplaceable data brew the perfect storm for an attacker to successfully exploit BlueKeep as a ransomware weapon of destruction. This gives attackers the power to potentially paralyze an entire hospital, with very little effort. As dramatic as this sounds, this is the harsh reality. Nefarious will continue to prey on organizations using outdated systems because the financial gain is practically guaranteed. Silent Sector offers state of the art vulnerability scanning and network penetration tests to help companies eliminate avenues that attackers will inevitably try to exploit.


About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.