© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Revisiting Eternal vulnerabilities amid Halloween horror

Halloween may not be the only scary event enterprises need to start planning for, as a looming threat still slithers in the shadows of the past, waiting for the right time to catch its victims unaware.

While 2017 may remain in the rearview mirror for most, many internet-facing systems across the globe remain susceptible to one of the most impactful vulnerabilities from this time period. The family of vulnerabilities I’m referring to is SMB worms like ‘Indexsinas,’ which leverage elements of the EternalBlue, EternalRomance, and EternalSynergy vulnerabilities to obtain network access, then spread through other environments to execute ransomware or crypto-mining attacks.

Recent insights provided by IBM in 2022 indicate a cyber breach will cost a business, on average, $4.5 million USD per occurrence. IBM generated this data from a review of 500 impacted businesses in over a dozen countries and an equal number of industries. A majority of businesses surveyed experienced repeat breaches and unwanted price increases, which they eventually put onto their customers.

Why is this still happening five years later?

Primary reasons as to why this continues happening involve decisions to implement or perpetuate insecure network architectures and protocols that communicate to or between workstations, like SMB, that allow unnecessary file sharing.

Controls businesses can implement to reduce the chance of inbound SMB vulnerabilities include outright disablement of the protocol on the network for workstations but may also include use of Artificial Intelligence (AI) threat-hunting tools, Extended Detection and Response (XDR) solutions and ongoing security assessment solutions like Continuous Penetration Testing (CPT).

Report of global assets
Figure 1 – Shodan reporting over 6600+ global assets vulnerable to SMB exploitation as of September 2022.

The composition of attacks

How exactly do these attacks continue to be perpetrated? Cybercriminals still enjoy abusing open inbound SMB ports on workstations or servers, which remain vulnerable to the ‘Eternal-family’ line of vulnerabilities.

These attacks are successfully executed by accessing open Windows SMB Shares, editing SMB session values, then using anonymous connections to obtain SYSTEM or administrator-level access on the victim. These attacks also work when cyber criminals obtain shellcode access on targets advertising an Active Directory port; traditionally TCP port 139 or 445, which may not require these SMB ports to be available. SMB worms like ‘Indexsinas,’ implement an entire Command and Control (C2) framework, which allows self-propagation, elimination of any competitive malware or exploits already present and anti-forensic capabilities that remove traces of its presence after successful execution. A very simplistic infographic of how Eternal-family SMB vulnerabilities are exploited is outlined below.

How Eternal-family SMB vulnerabilities are exploited
Figure 2 – A basic kill chain employed by the ‘Indexsinas’ SMB worm which leverages a Command & Control framework paired with a Remote Access Trojan (RAT).

Campaigns like ‘Indexsinas’ have produced recent breach reports, with activity being reported as recently as October 2021. As showcased above, vulnerable SMB hosts are easily discoverable using tools like Shodan to start the attack process. SMB worm campaigns are then launched, which rely on obtaining an initial foothold on a victim, combining social engineering and/or use of Eternal Blue (MS17-010), Eternal Synergy (CVE-2017-0143), and Double Pulsar (CVE-2017-0144) SMB vulnerabilities for exploitation. These chained exploits leverage integer overflows to enable a buffer overflow, which further enables memory heap spraying to achieve shell code execution and gain system control.

The Eternal Synergy vulnerability may also be used to query for Anonymous SMB Pipe(s) on compromised targets allowing SMB session data to be overwritten, providing attackers SYSTEM level access. Cybercriminals will then typically leverage the available attack pathways provided to them via inbound SMB access on workstation as a lateral movement vector using administrative SMB shares such as C$ or Admin$. The attack process is then repeated on as many hosts in which there are available connections, allowing widespread damage in a short period of time.

How to reduce the chances of SMB worm attacks?

Pivoting from how SMB attacks are planned and executed, it is useful to understand some of the mitigating controls to reduce the chances of SMB worm attacks, starting with outright prevention of SMB protocol communications. Inbound SMB port access to workstations is not absolutely essential for a functional file or print sharing. Suitable alternatives exist via the NFS or WebDAV protocols and remote support tools. SMB file shares and printing are optimally positioned when done from dedicated file servers and/or Active Directory Domain Controllers (i.e., SYSVOL). Remote management of workstations can be successfully accomplished using non-SMB ports or vendor tools that eliminate the need for inbound SMB on workstations using solutions like TeamViewer or NinjaOne.

Using TeamViewer for example, the need to manage end-user workstations using inbound SMB ports is avoided by leveraging https-tunneling via RSA key exchange and AES 256-bit symmetric key encryption. The process to securely connect an administrative client (Client A) to a remotely managed client (Client B) is accomplished using the following steps depicted in the below infographic:

Cryptographic key communication process for remote management
Figure 2 – A basic cryptographic key communication process for remote management using TeamViewer.
  1. Both connecting clients generate a private and public key using RSA 2048-bit security. The public key for both clients is sent to the TeamViewer Server for use in all future connections between clients.
  2. Client A requests the public key of Client B from the Team Viewer Server.
  3. The Team Viewer Server sends Client A the requested public key of Client B.
  4. A set of symmetrical keys used for encrypted management connections are sent first by Client A to Client B, encrypted by the public key of Client B and signed by the private key of Client A.
  5. Client B repeats step 2 above but in reverse, requesting the public key of Client A in order to authenticate Client A.
  6. Once Client B authenticates Client A, the symmetric keys are decrypted and secure https communications are established between the 2 clients providing remote management capabilities.

SBM risks: monitoring and mitigating for companies

Assuming the enterprise does remove inbound SMB on workstations and implements remote management tools via non-SMB protocols, how can it gain assurances that SMB related risks are sufficiently monitored? Frequency based vulnerability scanning, annual penetration testing, or routine control assessments are fantastic approaches for managing enterprise security and adding defense in depth. The potential downfalls associated with these approaches lie in their infrequent execution which may leave businesses exposed to critical security risks for extended periods of time.

An innovative approach starting to emerge in the cybersecurity space which allows businesses to better manage risks related to SMB worms is CPT or Continuous Penetration Testing. The below table distinguishes key differences between traditional approaches to managing threats like SMB worms and the added benefits of adopting CPT practices within the enterprise cybersecurity program.

Managing Security Risk without CPTManaging Security Risk with CPT
Vulnerability assessments are performed ad-hoc without predictable.Vulnerability assessments are performed on a defined schedule, with detailed parameters, and known constraints.
Security exercises concentrate on use of outdated adversary tools, techniques and procedures.Security exercises focus on cutting edge tools and techniques used by adversaries.
Risk exposures are extended and are more likely to produce unplanned work and increased costs to remediate findings. Minimized risk exposure, costs and unplanned work due to more frequent security exercises.
Greater compliance risk due to decreased availability of intelligence regarding current security posture.Lesser compliance risk due to more frequent dissemination of the business security posture.
Decreased agility in responding to system or environment changes.Increased agility in responding to system or environment changes.

Once inside the enterprise, SMB worms can be a slimy, slippery mess that can get out of hand quickly. It’s best to stop them at the source and ensure the enterprise stays free of any infections or problems they may cause.

Enterprises can reduce these risks by adopting avoidance strategies like disallowing SMB on workstations and leveraging alternative protocols like NFS or remote support tools like TeamViewer. Finally, Continuous Penetration Testing (CPT) helps augment the current security control landscape implemented by the business. Adopting cutting-edge approaches like CTP allows security teams to spend less effort managing cyber risks while returning greater assurances to the enterprise that business risks are adequately managed and effectively reduced.

More from Cybernews:

DJI drone tracking data exposed in US

Russia can still opt for crypto to evade sanctions, report suggests

Australia's large health insurance company reports cyberattack

Online retailers targeted by refund fraudsters, report warns

Netflix opens its first multi-title pop-up store in Los Angeles

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked