This vulnerability in Windows was first discovered 20 Years ago:
The critical bug, dubbed "Redirect to SMB," is a variant of a vulnerability found in Windows by researcher Aaron Spangler nearly 18 years ago that caused Windows to expose a user's Windows username and password automatically.
However, according to researchers at security firm Cylance who discovered the flaw, this weakness in Windows was never patched by Microsoft, as Microsoft says that this flaw is not worth focusing on, and, therefore...
...This results in a new hack that targets the SMB file sharing protocol.
But, What is SMB?
SMB, or Server Message Block, is a protocol that allows users to share files over a network. In Windows operating systems, SMB is often used by companies and organizations to share files from one server across their entire network.
Now, how this SMB protocol is exploited by hackers?
While requesting a file from the server, Windows will automatically attempt to authenticate to the SMB server by providing the system users' credentials to the server.
How "Redirect to SMB" attack works?
Any method used by an attacker to force victims to try to authenticate to an attacker-controlled SMB server, simply describes the Redirect to SMB attack.
So, an attacker only needs to intercept this HTTP request, which can be easily done using Man-in-the-Middle (MITM) attack, and then redirect the victim to a malicious SMB server controlled by the attacker.
When a victim inputs a URL that starts with the word "file://" or clicks on a malicious link, Windows believes that the user is trying to gain access to a file on a server.
Because of this vulnerability, Windows will automatically attempt to authenticate itself to the malicious SMB server by providing the user's login credentials to the server.
This could allow a malicious hacker to steal victims' Windows username, domain as well as the typically hashed password, which, Cyclance claims, could be cracked by an attacker with a high-end GPU in less than half a day.
What does Microsoft say about the issue?
Microsoft officials downplayed the Cylance "discovery" and the seriousness of the flaw on Monday, saying that the issue was not new at all, and the chances of falling victim to this attack are little.
"We do not agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson released a statement on Monday.
"However, several factors would need to come together for this type of cyber attack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they do not recognize or visiting unsecure sites."
Who are affected?
Cyclance claims that nearly 31 programs are vulnerable to the SMB flaw, which includes:
- Many widely used applications: Adobe Reader, Apple QuickTime and Apple Software Update that handles iTunes updates
- Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even Microsoft Baseline Security Analyzer
- Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm and JDK 8u31's installer
- Security Tools: .NET Reflector and Maltego CE
- Antivirus Software: Symantec's Norton Security Scan, AVG Free, BitDefender Free and Comodo Antivirus
- Team Tools: Box Sync and TeamViewer
How do you protect yourself against this flaw?
- The simplest way to protect against this issue is to block outbound traffic from TCP 139 and TCP 445. This could be prevented using a network gateway firewall to prevent only SMB communications to destinations outside of your network.
- Apply applicable and up-to-date software patches from vendors.
- Use strong passwords so that it requires a larger time for brute forcing of any hashing algorithms.
