Attackers leverage SMB shares for targeted intrusion


Server Message Block (SMB) shares are ubiquitous enough for persistent attackers to abuse at scale. So much so that ransomware operators love it.

SMB stands for Server Message Block, and an SMB share refers to a network share created on a server or a computer using the SMB protocol. The SMB protocol is a network file-sharing protocol that allows applications and users to access files, printers, and other resources on a network.

  • Server: The system hosting the shared resources (files, directories, printers) is referred to as the server. This can be a dedicated file server or a computer that shares its resources with other devices on the network.
  • Share: A shared resource, often a directory or folder, is made accessible to other devices on the network. This shared resource is known as an SMB share.
  • Access: Devices on the network, such as computers or other servers, can connect to the SMB share to access the shared files or resources. Access to the share typically requires proper authentication, such as a username and password.
ADVERTISEMENT

SMB is commonly used in Windows environments for file and printer sharing but is also supported on other operating systems. It facilitates the seamless sharing of files and resources among devices in a networked environment. Users can access files on an SMB share as if they were stored locally on their own devices.

Our research team has discovered 276611 IP addresses with open SMB shares and with disabled authentication.

IP addresses with open SMB shares

Enabling open SMB (Server Message Block) shares with authentication disabled poses a significant security risk. This means that anyone, without authentication, can connect to and potentially exploit these shares.

This vulnerability exposes systems to unauthorized access, data exposure, and potential malware propagation. Attackers often target such open SMB shares to gain entry into networks, spreading ransomware or extracting sensitive information. In this article https://cybernews.com/security/checkmate-ransomware-victims/, we wrote about how Russia-affiliated ransomware targets SMB File Share Protocol.

Why do bad actors target SMB shares?

  • It can be an easy target for bad actors, especially when there is an open SMB share with disabled authentication. Bad actors just need to find open SMB shares with disabled authentication, remotely connect to that share with specific tools, and then exfiltrate all the data, plant the malware, or encrypt the files if there’s no additional security.
  • SMB is a widely used protocol for file and printer sharing in Windows and Unix environments. Its prevalence makes it a prime target for attackers seeking to exploit vulnerabilities.
  • Many ransomware attacks involve the encryption of files on network shares, often using SMB to propagate across the network. Attackers may specifically target SMB shares to spread their malware efficiently.
  • Attackers may target SMB shares to gain access to sensitive data stored on network drives and then exfiltrate that data for various malicious purposes, such as selling it on the dark web markets or using it for extortion.

Some history:

ADVERTISEMENT
  • WannaCry Ransomware(2017): One of the most significant incidents involving SMB shares was the WannaCry ransomware attack. Wannacry exploited a vulnerability in the Windows SMB protocol to spread across the networks. The ransomware encrypted files on infected systems and demanded a ransom for decryption.
  • NotPetya(2017): NotPetya was another global ransomware attack that used the EternalBlue exploit, which targeted the SMBv1 protocol. The malware spread rapidly through networks, causing widespread disruption and financial losses.
  • Bad Rabbit Ransomware(2017): Bad Rabbit was a ransomware attack that used an EternalRomance exploit targeting SMB shares to spread across networks. It affected organizations, particularly in Ukraine and Russia.
  • SMBGhost(2020): The SMBGhost vulnerability (CVE-2020-0796) in Microsoft Windows SMBv3 protocol allowed for remote code execution. Microsoft released a security update to address this vulnerability. While there were reports of proof-of-concept exploits, there were no widespread incidents as seen with WannaCry.

Key takeaways

  • SMB shares are a popular target for ransomware gangs
  • Authentication disabled in SMB shares means that anyone can connect to the SMB share without authentication. This opens the door to unauthorized users gaining access to sensitive data or resources.
  • Exposed SMB shares put data at risk. Malicious actors can view, modify, or delete files stored on the share, leading to potential data breaches.
  • Open SMB shares are often targeted by malware for propagation. Malicious software can easily spread across the network through these unprotected shares, impacting multiple systems.
  • In the context of ransomware attacks, open SMB shares become attractive targets. Attackers can encrypt files on the share, demanding ransom for decryption keys.

How to protect SMB shares

  • The most effective way to secure open SMB shares is to require strong authentication for every connection to ensure that only authorized users can access the shared resources.
  • Enforce strong and unique usernames and passwords for accessing the SMB shares. Avoid using default or easily guessable credentials.
  • Implement encryption for SMB traffic. This can include using SMB over VPN or SMB over HTTPS to protect data in transit and prevent eavesdropping.