Earlier this month, the National Security Agency (NSA) issued a warning to Windows users -- especially businesses running older versions of Windows -- to patch their systems against the BlueKeep wormable exploit. At the time, the NSA wrote, "NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems."
Now the Cybersecurity and Infrastructure Security Agency (CISA) – the cybersecurity wing of the Department of Homeland Security -- is issuing its own warning about BlueKeep and the danger it poses to unpatched Windows systems. As we've previously reported, BlueKeep takes advantage of a vulnerability in the Remote Desktop Protocol (RDP) which allow an attacker to send malformed packets to a system to perform remote code execution.
According to CISA, it worked with outside partners to demonstrate that it's possible to run remote code on Windows 2000 systems with BlueKeep. However, considering that Windows 2000 is two decades old at this point, it shouldn't be too surprising that internet-facing machines running this OS would be susceptible to such a wormable exploit. Operating systems of similar vintage, including Windows XP, are also vulnerable without a patch (which you can download directly from Microsoft).
As a wormable exploit, the attacker only needs access to one system on a network, and is then able to propagate quickly throughout the network to other PCs further spreading the infection.
"CISA encourages users and administrators review the Microsoft Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708 and apply the appropriate mitigation measures as soon as possible," CISA writes in its alert.
Although Microsoft hasn't released patches for Windows 2000 given its age, it has done so for Windows Vista, Windows XP, and Windows Server 2003. If you're still running Windows 2000, now might be a time to seek newer alternatives (a la Windows 10).