#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

smb vulnerability | Breaking Cybersecurity News | The Hacker News

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol

Jun 09, 2020
Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks. Dubbed " SMBleed " ( CVE-2020-1206 ) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function — the same function as with SMBGhost or EternalDarkness bug ( CVE-2020-0796 ), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks. The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June . The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week warning Windows 10
Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!

Mar 12, 2020
Microsoft today finally released an emergency software update to patch the recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware , which can propagate itself from one vulnerable computer to another automatically. The vulnerability, tracked as CVE-2020-0796 , in question is a remote code execution flaw that impacts Windows 10 version 1903 and 1909, and Windows Server version 1903 and 1909. Server Message Block (SMB), which runs over TCP port 445, is a network protocol that has been designed to enable file sharing, network browsing, printing services, and interprocess communication over a network. The latest vulnerability, for which a patch update ( KB4551762 ) is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges. Compre
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Mar 11, 2020
Shortly after releasing its monthly batch of security updates , Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 ( SMBv3 ) network communication protocol. It appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only, but, for some reason, it pulled the plug at the last minute, which apparently did not stop a tech company from accidentally leaking the existence of the unpatched flaw. The yet-to-be patched flaw (tracked as CVE-2020-0796 ), if exploited successfully, could allow an attacker to execute arbitrary code on the target SMB Server or SMB Client. The belated acknowledgment from Microsoft led some researchers to call the bug " SMBGhost ." "To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
FBI issues alert over two new malware linked to Hidden Cobra hackers

FBI issues alert over two new malware linked to Hidden Cobra hackers

May 30, 2018
The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra. Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world. The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack , as well as the SWIFT Banking attack in 2016. Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world. The malware Hidden Cobra is
Flaw in Microsoft Outlook Lets Hackers Easily Steal Your Windows Password

Flaw in Microsoft Outlook Lets Hackers Easily Steal Your Windows Password

Apr 12, 2018
A security researcher has disclosed details of an important vulnerability in Microsoft Outlook for which the company released an incomplete patch this month —almost 18 months after receiving the responsible disclosure report. The Microsoft Outlook vulnerability (CVE-2018-0950) could allow attackers to steal sensitive information, including users' Windows login credentials, just by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction. The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections. A remote attacker can exploit this vulnerability by sending an RTF email to a target victim, containing a remotely-hosted image file (OLE object), loading from the attacker-controlled SMB server. Since Microsoft Outlook a
Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread

Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread

Oct 27, 2017
A new widespread ransomware worm, known as " Bad Rabbit ," that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks. Earlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue , but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit. NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit , along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak. Bad Rabbit Uses EternalRomance SMB RCE Exploit Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread
IPS as a Service Blocks WannaCry Spread Across the WAN

IPS as a Service Blocks WannaCry Spread Across the WAN

Aug 14, 2017
One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1. Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that would prevent the spread of the attack between enterprise locations in the Wide Area Network (WAN). This is partly due to the way enterprises deploy security tools, such as IPS appliances, and the effort needed to maintain those tools across multiple locations. It's for those reasons Cato Networks recently introduced a context-aware Intrusion Prevention System (IPS) as part of its secure SD-WAN service . There are several highlights in this announcement that challenge the basic concept of how IT security maintains an IPS device and sustains the effectiveness of its protection. Cato Network
WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

Aug 02, 2017
Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to give its banking Trojan the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide. The new version of credential stealing TrickBot banking Trojan, known as " 1000029 " ( v24 ), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly. TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year. The Trojan generally spreads via email attachments impersonating invoices from a large unnamed "international financial institution," but actually leads victims to a fake login page used to steal credenti
Microsoft to Remove SMBv1 Protocol in Next Windows 10 Version (RedStone 3)

Microsoft to Remove SMBv1 Protocol in Next Windows 10 Version (RedStone 3)

Jun 20, 2017
The Server Message Block version 1 (SMBv1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — will be removed from the upcoming Windows 10 (1709) Redstone 3 Update. The SMBv1 is one of the internet's most ancient networking protocols that allows the operating systems and applications to read and write data to a system and a system to request services from a server. The WannaCry ransomware , which wreaked havoc last month, was also leveraging an NSA's Windows SMB exploit, dubbed EternalBlue , leaked by the Shadow Brokers in its April data dump. The WannaCry ransomware menace shut down hospitals , telecommunication providers, and many businesses worldwide, infecting hundreds of thousands of unpatched Windows servers running SMBv1 in more than 150 countries within just 72 hours on 12th of May. Although Microsoft patched the vulnerability in SMBv1 in March in MS17-010 , the company meanwhile strongly advised us
7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

May 25, 2017
A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines. Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS. Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system. The newly discovered remote code execution vulnerability ( CVE-2017-7494 ) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010. "All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wed
Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

May 22, 2017
A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools , it exploits all the seven. Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar. Now, Miroslav Stampar, a security researcher who created famous 'sqlmap' tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks , which is more dangerous than WannaCry and has no kill-switch in it. Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system. However, Stampar learned of EternalRocks after it infected his SMB honeypot . The NSA exploits used by EternalRocks, which Stampar called " Do
Weeks Before WannaCry, Cryptocurrency Mining Botnet Was Using Windows SMB Exploit

Weeks Before WannaCry, Cryptocurrency Mining Botnet Was Using Windows SMB Exploit

May 16, 2017
A security researcher has just discovered a stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks. According to Kafeine, a security researcher at Proofpoint , another group of cyber criminals was using the same EternalBlue exploit , created by the NSA and dumped last month by the Shadow Brokers, to infect hundreds of thousands of computers worldwide with a cryptocurrency mining malware called ' Adylkuzz .' This malicious campaign went unnoticed for weeks because unlike WannaCry , this malware does not install ransomware or notify victims, but instead, it quietly infects unpatched computers with malware that only mine ' Monero ,' a Bitcoin-like cryptocurrency. This Malware Saves Computers From Getting Hacked By WannaCry The Researcher believes Adylkuzz malware attack could be larger in scale than WannaCry ransomware attack because it has been designed to blo
WannaCry Ransomware: Everything You Need To Know Immediately

WannaCry Ransomware: Everything You Need To Know Immediately

May 15, 2017
By now I am sure you have already heard something about the WannaCry ransomware , and are wondering what's going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend. The only positive thing about this attack is that — you are here — as after reading this easy-to-understandable awareness article, you would be so cautious that you can save yourself from WannaCry, as well as other similar cyber attacks in the future. Also Read — Google Researcher Finds Link Between WannaCry Attacks and North Korea . Since this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats. What is WannaCry? How to Protect your Computer from WannaCry Ransomware? Follow These Simple Steps. TWEET THIS In this article, we have provided some of the most important primary secu
WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives

WannaCry Kill-Switch(ed)? It's Not Over! WannaCry 2.0 Ransomware Arrives

May 13, 2017
Update —  After reading this article, if you want to know, what has happened so far in past 4 days and how to protect your computers from WannaCry, read our latest article " WannaCry Ransomware: Everything You Need To Know Immediately . "  If you are following the news, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further. But it's not true, neither the threat is over yet. However, the kill switch has just slowed down the infection rate. Updated:  Multiple security researchers have claimed that there are more samples of WannaCry out there, with different 'kill-switch' domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below). So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill swit
Cybersecurity Resources