Server Message Block (SMB) – Mitigate Attack Using SMBs

Some of the most destructive ransomware and Trojan malware variants depends on the vulnerabilities in the Windows Server to propagate through an organization’s network. 90% of the businesses lack any data protection for their company and customer information. It is essential for an individual to take a close look at the vulnerabilities as it’s done – through a website, through an email, and through links! 

In this blog below, we will be talking about the features of SMBs and how can the attack be mitigated.

Contents:

1. What about SMB?
2. What makes SMBs so effective?
3. SMB vulnerabilities
4. How to mitigate the attack

What about SMB?

The Server Message Block (SMB) is a network file sharing protocol running on port 445. It’s implemented in Microsoft Windows Server as the Microsoft SMB service. Windows 8 has a contract installed by default. While the SMBv1 still exists on operating systems with SMBv2 and SMBv3 protocol was introduced in Windows 8 and Windows Server 2012 with an SMB encryption feature.

Server Message Block (SMB) is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. SMB provides support for what is known as SMB Transactions.  Using SMB Transactions enable atomic read and write to be performed between as SMB client and server. SMB Relay Attack is a type of attack that relies on NTLM Version 2 authentication that is typically used in most of the companies. When we are going in the network, unfortunately, we’re able to capture a specific part of the traffic related to the authentication and also relay it to other servers.

SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock. Client computers using SMB connect to the supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI and, once the connection is established, it can open, read/write, and access files similar to the file system on a local computer.

What makes SMBs so effective?

SMBs are experiencing highly sophisticated and targeted cyber attacks. There is obviously a failure using strong passwords, two-factor authentication, and unique passwords for websites, applications, and systems. Most SMBs struggle with the capability to manage cybersecurity protections and mitigation of attacks – especially data breaches. The majority of the smaller businesses fall out of business within six months after a cyberattack. Moreover, using the business giants, SMBs cannot afford the financial hit of data breaches.

Since SMB and NetBios/NetBT (a famous protocol co-developed by IBM and Sytek for computer networking) services enabled by default, the malicious components intruders can query these services to gather information. The SMB vulnerabilities are successful enough that they’ve used some of the most visible ransomware outbreaks. The researchers have recorded 5,315 detections of Emotel and 6,222 of TrickBot in business networks. The specialty of the malware that it propagates and the massive spam campaigns renders a few victims. It’s like a worm infection that keeps spreading itself with little efforts for multiplying returns. Three well-known exploits in the wild use SMB vulnerabilities :

1. EternalBlue (used by WannaCry and Emotet)
2. EternalRomance (NotPetya, Bad Rabbit, TrickBot)
3. EternalChampion

All these exploits were leaked by the ShadowBrokers Group, who allegedly stole them from the NSA. Multiple large-scale malware attacks have relied on SMB vulnerabilities to penetrate organizations’ networks. SMB relay attack is a man-in-the-middle attack where the attacker actor asks that victim to authenticate to a machine to a machine controlled by the attacker. The attacker then forwards the authentication information both ways, giving access to the attacker.

1. The attacker is the person who tries to break into the target.
2. The victim is the person who has the credentials.
3. The target is the system that the attacker wants access to, and the victim has credentials.

SMB Vulnerability:

Following are the listed attack scenario:

1. The attacker tricks the victim into connecting to him.
2. The attacker establishes the connection to the target, receives the 8-byte challenge
3. The attacker then sends the 8-byte challenge to the victim
4. The victim then responds to the attacker with the password.
5. Attacker responds to the target’s challenge with victims’ hash
6. Target is then granted access to the attacker.

There are various anomalies and patterns that can be used for network-level detection. WannaCry ransomware attack targeted Windows systems by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It spread like a computer worm infecting 200,000 computers across 150 countries. It’s a fact that most of the SMBs don’t have a password policy in place, which no doubt increases the threat.

How to mitigate the attack?

The best practice to reduce the attack is to regularly assess vulnerabilities SMBs facing, analyzing the secure weak points. Some of the many methods are listed below:

1. Assess the potential: Physical and virtual computing devices shall be assessed including, workstations and laptops, network file servers, corporate firewalls and switches, multi-function printers, and mobile devices.
2. Securing the SMBs: After the assessing, the next step is securing data like – Content filtering the websites safer to visit, email encryption such as end-to-end encryption where a receiver and sender has a decryption key, Data loss prevention outside the company network by regulating what data can be transferred, Backup and disaster recovery – a BDR solution in place that can restore operations quickly.
3. Filtering at the perimeter level of an SMB.
4. Enabling packet signing and Extended protection.

Instead of sharing the files via linking computers through SMBs, use a dedicated file server or a cloud-based offering, configure network printers to use other protocols, and make sure the endpoints are not able to communicate through another SMB. The SMB can be disabled by – Search for ‘Windows Feature‘ in the Windows Search option > Turn Windows Feature on and off > Click on the SMB sharing support > and click OK. Following are few mitigation methods that could be followed as soon as one notices a vulnerability:

1. Install an emergency Windows patch.
2. Install MS17-010: By installing the fix, any systems running a Windows version that didn’t receive a patch should be removed from the networks.
3. Disable SMBv1.
4. Block SMBv1
5. Shut down your computer that will prevent propagation.

It’s an important routine to keep your system updated and up-to-date. Various infections can be avoided with consistent and regular monitoring with essential maintenance. Often organizations/ individuals compromise on the practices of mitigation, which leaves them unprotected to the vulnerabilities- especially when it comes to SMB, it allows infections to spread drastically. Don’t be those organizations/ individuals.

Stay Protected and Stay Updated.

If you are interested in gaining more knowledge in day-to-day life for cyber threats, then you are in the right place at the right time. Catch-up our other articles based on the new-age risks. This brings me back to a recent ransomware – HILDACRYPT. A malicious software ransomware that is designed to encrypt files and prevent victims from accessing them unless they pay a ransom. It’s a disastrous PC threat from the Ransomware family and can intrude on any Windows machine, including XP, Vista, 7.8, and the lastest 10. For more detailed analysis visit here!!!!