New ‘Redirect to SMB’ Attack Method Detected

New ‘Redirect to SMB’ Attack Method Detected

COMP:REDIRECT-SMB2


A new vulnerability allowing attackers to redirect users to malicious SMB servers and steal user credentials was discovered. This vulnerability is based off an older vulnerability and an older encryption method (NTLMv2) used for passing credentials over SMB. If the attacker holds a man-in-the-middle (MITM) position they can force the victim to authenticate to a malicious SMB server. Additionally, if an attacker can trick a user into visiting a malicious web page, they can force the user’s computer to connect to a malicious SMB server.

Additional Information can be found at https://www.kb.cert.org/vuls/id/672268.

Recommendations

  • Block all outbound connections on TCP 139 & 445 from leaving the network
  • Use strong password policies

Systems Affected

  • Windows OS’s including Windows 10
  • Windows API Functions
    • URLDownloadA
    • URLDownloadW
    • URLDownloadToCacheFileA
    • URLDownloadToCacheFileW
    • URLDownloadToFileA
    • URLDownloadToFileW
    • URLOpenStream
    • URLOpenBlockingStream
  • Tablets running Windows OS

Vulnerable Versions

All versions of Windows including Windows 10

Patches

At this time Microsoft has not released a patch for Redirect to SMB.

Alert Detection

The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability.

COMP:REDIRECT-SMB1

Detected a malicious web server issuing a command to redirect the user to a SMB server (302 Code). This is a likely attempt to exploit the “Redirect to SMB” vulnerability in order to gain the users credentials.

COMP:REDIRECT-SMB2

Detected a malicious web server issuing a command to redirect the user to a SMB server (301 Code). This is a likely attempt to exploit the “Redirect to SMB” vulnerability in order to gain the users credentials.