PUTTING THE CAT BACK IN THE BAG –
Attackers got a head start when critical SMBv3 flaw details leaked 2 days ago.
Roughly translated, the details mean that attackers with a well-written exploit might be able to read plain-text passwords or other data sensitive data and could also obtain a command shell that can be used to take control of the vulnerable machine. EternalBlue — an earlier SMB exploit developed by and later stolen from the National Security Agency — also obtained a read-write capability to replace an inbound function in an inbound SMB function with a malicious function. That allowed the attacker to execute malicious code the next time a vulnerable machine. Multiple ways to exploit The Sophos write-up said malicious hackers could use the exploit in at least three scenarios:
(Scenario 1:) The attacker targets a machine sharing files. If a user or administrator has changed default settings to open port 445 or disabled the Windows firewall, or if the machine belongs to a Windows Domain, the machine is open to a remote form of attack that allows attackers to take control.“It goes without saying that any unpatched system with the vulnerable SMB port open to the public Internet could become a target of opportunity for a worm-like outbreak, similar to WannaCry, “members of the SophosLabs offensive security team wrote in Thursday’s blog post. “The mitigating factor is that it requires an attacker with a state-of-the-art exploit that could bypass all the security mitigation Microsoft has built in to Windows 20 and that the target has port / tcp open for incoming connections. ” (Scenario 2:) An attacker tricks a user into connecting to a malicious server. Attackers could use spammed messages that contain links that, when clicked, cause the vulnerable machine to join the attacker’s malicious network. With that, the attacker would have full control over the machine. A variation: the attacker who already has limited access to a network spoofs a trusted device inside the organization. Machines that use SMBv3 to connect to that spoofed machine are then compromised. When the two variations are combined, this type of attack might be useful in gaining initial access to a targeted network and then pivoting to more privileged or sensitive machines. A disadvantage from the attacker’s standpoint is that these types of exploits require the social engineering of a targeted user. (Scenario 3:) An attacker who gains limited access to a vulnerable computer through other means, exploits the SMBv3 flaw to run malicious code that has the same system rights as the targeted user. From there, attackers might be able to further elevate privileges to those of SYSTEM. Sophos demonstrated this third attack scenario in the video below: