The New SMBGhost Wormable Vulnerability is Gaining Popularity in the Dark Web

The New SMBGhost Wormable Vulnerability is Gaining Popularity in the Dark Web

On March 10, 2020, details about a zero-day vulnerability (CVE-2020-0796) affecting the Microsoft Server Message Block (SMB) protocol were accidentally exposed by security companies. SMB is a network communication protocol responsible for granting shared access to files, printers and serial ports between the different devices on the network.

In this blog post we reveal some of the activities we identified in the dark web and explain why this specific vulnerability has the potential to become a “wormable” attack that can spread fast.

The CVE-2020-0796 vulnerability, which received the moniker SMBGhost, is a buffer overflow vulnerability that exists due to an error in the way the vulnerable protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems.

In addition, researchers noted the vulnerability could be exploited in a “wormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. In this aspect, this vulnerability resembles the “wormable” CVE-2017-0144 vulnerability, which also affected an earlier version of the SMB protocol (SMBv1) and was exploited during the massive WannaCry and NotPetya ransomware outbreaks in 2017, using the EternalBlue exploit allegedly developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017.

Will the SMBGhost vulnerability lead to cyber-attacks in the magnitude of WannaCry and NotPetya? We don’t know yet. What we do know is that the world is currently in a very different and much more vulnerable place, with the Coronavirus outbreak sending millions of employees to work remotely, in a much less secure environment. The balance between risk and security has shifted. 

Time to Patch SMBGhost

As the vulnerability only affects SMBv3, which is the latest version of the SMB protocol that exists only in recent versions of the Windows operation system, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and specifically the following builds of both OS versions: 1903 and 1909.

The vulnerability was patched by Microsoft shortly after its publication, with the release of a security update on March 12, 2020.

Users are urged to install the relevant security update issued by Microsoft. However, if installing the patch is currently not possible, the company advises to disable SMBv3 compression using the following PowerShell command:

PowerShell Command

Unfortunately, prioritizing patching is always a challenge. Considering the fact that most IT departments in any organization nowadays, are currently occupied by ensuring employees are able to work remotely, in order to maintain business continuity, it is possible that patching will not be a first priority.

Discovered PoC Exploits

Since the vulnerability was made public, various repositories connected to the vulnerability have been created on GitHub. Many of these contain scanner scripts for detecting vulnerable systems.

In addition, several repositories containing PoC exploits for the vulnerability were also identified. One such repository contains a PoC written in Python that supports SMBv3.1.1. This PoC targets Windows 10 systems running the 1903/1909 build.

According to our analysis, this PoC triggers a buffer overflow and crashes the kernel, but could be modified into a remote code execution exploit. We identified additional similar PoC exploits on GitHub, all of which would eventually cause the targeted system to crash. However, none of the exploits we observed allow remote code execution.

Description of the PoC

Dark Web Discussions

Right after details of the SMBGhost vulnerability were published, discussions about the vulnerability emerged on different Dark Web platforms, where the vulnerability is also dubbed CoronaBlue (possibly a paraphrase on the EternalBlue exploit and the current Coronavirus pandemic outbreak). At first, we mainly observed the sharing of publicly available reports about the vulnerability.

News Reports about the SMBGhost Vulnerability Shared on a Russian Dark Web Forum
Source: Verint LUMINAR

However, threat actors soon started expressing their interest in a working PoC. For instance, on March 11, 2020, a member of a hacking-related Discord channel asked how many GitHub repositories containing fake exploit codes for CVE-2020-0796 exist (since it is not uncommon to find fake repositories allegedly containing exploit codes circulating on the Web after a new zero-day vulnerability is revealed). One of the replies he got was that it “would be good” to have a working PoC, and another member shared a link to a scanning tool for tracking vulnerable systems, which is publicly available on GitHub. That same scanner was also shared on a Russian forum, and an additional scanner on GitHub was shared in a Persian Telegram channel. Furthermore, our researchers have found multiple discussions in different underground forums, where users are trying to find exploit kits for the CVE-2020-0796 SMBv3 vulnerability.

Our research team will continue to monitor the new SMBGhost vulnerability and the threat actors that express interest in the vulnerability and in obtaining a working PoC exploit for it. As several PoC exploit codes have been made available on GitHub, it is possible we will soon witness exploitation attempts. Although none of the currently available PoC codes could allow the attacker to remotely execute arbitrary code on targeted systems, these exploits could be modified to enable remote code execution, and potentially constitute a more serious threat. Furthermore, the fact this vulnerability could be leveraged in a “wormable” attack, stresses the importance and the urgency of applying the relevant patch.

Avatar

Author: Verint Cyber Threat Intelligence Research Team

Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis. Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks