Is Microsoft SMBv1 still a threat to your data?

  Yes I know, this looks like another blog about Microsoft SMBv1, WannaCry, ransomware, etc. But with any discussion of vulnerable servers using SMBv1, it’s hard to avoid. Not to mention, our research shows it’s not the only risk. So please bear with me – it’s a blog, it’s short!

The Context

Over late 2016 and early 2017, threat actors known as The ShadowBrokers leaked offensive hacking tools obtained from the Equation Group, a group which multiple independent assessments link to the U.S. National Security Agency (NSA). A few of these tools were subsequently integrated into various malware, with the pinnacle reached in May and June 2017, when the WannaCry ransomware and NotPetya/Nyetya wiper attacks infected or destroyed hundreds of thousands of computers worldwide. Which you know, unless you’ve been living under a rock for the past three years…  The attacks exploited a vulnerability in SMBv1 to spread their malware rapidly across networks with vulnerable hosts —  both also used Mimikatz, a password-grabbing tool, to proliferate. The adapted version of the ETERNALBLUE exploit used in the attacks combined with a second NSA tool, DOUBLEPULSAR, to allow remote arbitrary code execution and deliver the WannaCry payload. The end result: encrypted computers for hundreds of thousands of victims, companies, and governments, in close to 150 countries, and international headlines (there’s that rock again…).

The Numbers

If you’re thinking, “Yes, I know a lot of servers still run SMBv1. Yes, it should be patched. Yes, the remaining vulnerable owners are playing with fire, but I’m not one of them.” Well, you may be right — Microsoft SMBv1 is still a threat. Popular tool Shodan, which is accessible to everyone, and a Rapid7 report show that in March 2020, between 500,000 and 1.3 million devices ran SMB services, with only around 343k devices using SMBv1 with authentication disabled (Shodan query), Of those, the vast majority ran Unix OSs, not Windows, though Unix/Linux has its own vulnerability similar to the one used in WannaCry. This is a net improvement on Rapid7 and Shodan statistics from 2017, when between 2.3 and 5.5 million devices were running SMB services, and, when that number dropped to between 700,000 and 1.7 million. Not quite eradication, nor does it eliminate the risk of variants or new malware families using the same exploits. It is however an improvement, especially when WannaCry has been effectively put out of action (beyond just Hutchin’s sinkhole): Well done sys admins (and some rather good-hearted individual/s)! 

But ransomware is not the only SMB threat

  While WannaCry and NotPetya legitimately garnered the vast majority of attention, another risk continues to go somewhat under the radar: 

Unauthenticated access to documents shared via the SMB protocol can be equally damaging to organizations.

Another attack using the same method as WannaCry is highly unlikely, but back in 2017, 42% of servers with open SMB ports also allowed guest access to their data. However, Microsoft SMBv1 is still a threat. Today, CybelAngel regularly detects and alerts its clients to SMB servers publicly hosting thousands of sensitive documents. (2.7M SMB services with authentication disabled, between August 1, 2019 and August 10, 2020. CybelAngel tools.) The crackdown on SMB ports following WannaCry and NotPetya was strong on internal company networks. But the servers we identify often belong to third-parties and suppliers, outside the perimeter and control of the company, as well as individual persons using Windows devices. Cybersecurity risks posed by third-parties and company supply chains continue to rank high in executives’ minds. The Risk in Focus 2019 report by the European Confederation of Institutes of Internal Auditors showed “cybersecurity is considered the biggest risk to their organizations,” including that of their third parties. This is not new or news, but the growing awareness that monitoring can and should extend beyond their internal infrastructure is. To paraphrase a section of the report, as organizations have sorted their internal security, concerns about their external footprint has increased.    Whether through direct attack on suppliers, weaker security measures from these same suppliers, or moves to integrate cloud infrastructure to reduce costs, the number of exposure points of sensitive data has increased. Conjointly, a supply chain and third parties are necessary functions in today’s interconnected world — this ensures the risk will not disappear. Saying it one more time, “Microsoft SMBv1 is still a threat.”

Yeah, Great. “So What?” I Hear You Say. The Suggested Actions

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.” There are numerous excellent (and more technical) blogs detailing monitoring and remediation steps for securing SMB ports. This is a quick recap:

1. In general, patch the damn software. Regularly, while making sure you can rollback any issues.
2. Disable unauthenticated/guest/anonymous SMB access allowing us (and others) to find your sensitive documents.
3. If you do not need SMB, don’t keep it open…  Block ports 139 and 445 on your network perimeter.
4. If you need it, prioritize the upgrade to v2 or v3. It is standard on Windows 10, and SMBv1 is no longer supported by Windows. Also, you would finally put @NerdPyle out of his misery.
5. Backup your data – securely, on a server with correctly configured authentication and solid encryption
6. Invest in a security solution that will scan that pesky external perimeter for data leaks. And, ensure your suppliers match your level (cheeky pitch here, we know). 
7. And on that, good luck with your SMB infrastructure!