“85% of MSPs report attack against SMBs in the last two years” read a report title few months ago

“Average cost of downtime due to SMB attacks was $1,41,000 “ was a fact from the same report.

These two headlines paint a gray picture of how SMB is under persistent threat from attackers all over the globe.  Maybe because of a lot of 0-days and public exploits targeting SMBs are easily available or due to the widespread usage of SMB, hackers have found their Goldmine!

A simple ‘smb’ search on Shodan.io returns more than 1.5 million results. This is enough to assume how largely and globally this protocol is used. Needless to say, what’s more prevalent is what’s more targeted.

This image has an empty alt attribute; its file name is SMB_Article_Image_1.png

Just recently arrived SMBleed vulnerability quickly gained momentum for it can result in Remote Code Execution (RCE) on SMB 1.1 under certain circumstances and when combined with a previously reported SMBGhost vulnerability. The issue lay in the Srv2DecompressData function in the srv2.sys SMB server driver. Considering the grave situation of more than a million active usages of SMB, Microsoft released a patch, but will that be enough?

The New SMBGhost Wormable Vulnerability is Gaining Popularity in ...

Considering a best practice of installing security patches as soon as they arrive, we observe security misconfigurations where developers are adamant to update to latest versions owing to instability, added work or sometimes even negligence. This creates a perfect opportunity for hacker to infiltrate the systems and compromise the data or install ransomware.

Coming to Ransomwares, Wannacry or Eternal Blue wreaked havoc in the industry and this is not hidden from anyone. But very few are aware of the damages that other ransomwares are making by leveraging the SMB protocol. Four out of five MSPs are stating that they are increasingly targeted by Ransomwares and 89% are concerned about this increasing threats. The hackers have found various ways which even include social engineering attacks to intrude into the organizations and install ransomwares. The options left at that point are quite a few since not all ransomwares can be decrypted and there is always a possibility of data loss even after data is decrypted.

The best solution is always to go for preventing these attacks and investing on business saving instead of business recovery from such attacks

We at Detox, suggest the following practices in general to follow to avoid attacks through SMB. Definitely, this is not an exhaustive list since not curated for a specific business. These are generic but quite effective.

  • Do not open the SMB ports for public until extremely necessary (Even with the latest version)
  • Install the SMB security updates as soon as they arrive.
  • Train your staff to be phishing-resistant (Phishing is the leading cause of Malware)
  • Never leave SMB with easily guessable or weak passwords
  • Enable 2FA on email clients to reduce the risk of compromised accounts
  • Continuous Logging and monitoring is required to flag any anomaly
  • Have a cyber liability insurance to get covered for the losses (if happen)
  • Have a complete security testing, VAPT audit of all the infrastructure to prevent such attacks

We responsibly and through experience suggest that coping with a compromised system should be the last resort since what has been done cannot be undone. Also, most organizations take years to recover from a single hack, sometimes Never!
So, do consult experts when planning the security architecture and conduct routine security audits & pentests because as they say, Security is not an implementation, it is a process.

Author : Piyush Goyal