New ‘Redirect to SMB’ Attack Method Detected
A new vulnerability allowing attackers to redirect users to malicious SMB servers and steal user credentials was discovered. This vulnerability is based off an older vulnerability and an older encryption method (NTLMv2) used for passing credentials over SMB. If the attacker holds a man-in-the-middle (MITM) position they can force the victim to authenticate to a malicious SMB server. Additionally, if an attacker can trick a user into visiting a malicious web page, they can force the user’s computer to connect to a malicious SMB server.
Additional Information can be found at https://www.kb.cert.org/vuls/id/672268.
- Block all outbound connections on TCP 139 & 445 from leaving the network
- Use strong password policies
- Windows OS’s including Windows 10
- Windows API Functions
- Tablets running Windows OS
All versions of Windows including Windows 10
At this time Microsoft has not released a patch for Redirect to SMB.
The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability.
Detected a malicious web server issuing a command to redirect the user to a SMB server (302 Code). This is a likely attempt to exploit the “Redirect to SMB” vulnerability in order to gain the users credentials.
Detected a malicious web server issuing a command to redirect the user to a SMB server (301 Code). This is a likely attempt to exploit the “Redirect to SMB” vulnerability in order to gain the users credentials.