Security insights from ThreatLocker
The latest “oops” moment for Microsoft is the discovery that an attacker can infect a connecting machine with malware from a Remote Desktop Session. Every few months a new vulnerability is discovered in Windows. Generally, by the time the vulnerability is public knowledge, Microsoft has released a security patch in Windows Update.
We have to assume that new exploits are going to continue to appear. And while patching these exploits is extremely important, sometimes our patch management speed or the release of these patches is not going to happen fast enough.
How can we protect ourselves from these vulnerabilities before Microsoft patches them?
Security should be more than a single layer. We must assume our security is going to fail at some layers, and that is why having multiple levels of security defenses is essential.
Before I get into how Application Whitelisting and Ringfencing would help stop this exploit from infecting your computer, we should discuss how BlueKeep RDP vulnerability infects computers.
When connecting to a server infected with malware, with clipboard sharing enabled using a Remote Desktop Session, the infected host can transmit malware onto your computer. As soon as you perform a copy or paste function, the exploit will allow malware to transmit at the same time. It does not appear that the exploit executes the malware on the connecting computer. The malware, however, is often saved into a startup folder, so it will run when you restart your computer.
This vulnerability is worse for I.T. professionals and managed service providers who often connect to remote hosts regularly, in some cases to help with malware remediation.
You should not underestimate the importance of patching your computer to remove this vulnerability. However, it is also essential to make sure you have other layers to protect you from threats like this.
Application Whitelisting is a concept that is common practice in the federal government and other large enterprises as a method of stopping malicious software, including both known and unknown malware. Recently there is a significant uptake in smaller to medium-size businesses and Managed I.T. Services providers using Application Whitelisting to protect their endpoints. This recent uptake is in part because of the systematic failures of antivirus software, combined with ThreatLocker's unique approach to application whitelisting, making it easier to deploy and manage.
Application Whitelisting is an extremely useful tool at stopping malware from executing on your endpoints that was transmitted using the KeepBlue vulnerability. Even though whitelisting itself does not stop the vulnerability from transmitting, it does stop it from executing.
Ringfencing and Data Storage Control goes one step further. Data storage control allows you to stop write access to protected areas of the system, such as the startup folders. While Ringfencing builds fences around applications to define how they can integrate with other software, files, network, or registry resources.
If you would like to see how ThreatLocker® is an excellent addition to your security stack, book a free web demonstration.