SMBGhost Attacks Spotted After PoC Code Execution Release

cyber security

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security has warned Windows users that a recently released proof-of – concept (PoC) exploit for the vulnerability tracked as SMBGhost was misused to launch attacks.

SMBGhost, also known as CoronaBlue and reported as CVE-2020-0796, is a vulnerability associated with Server Message Block 3.0 (SMBv3), specifically related to how SMB 3.1.1 handles some queries. The vulnerability affects Windows 10 and Windows Server and can be used for denial-of – service (DoS ) attacks, escalation of local privileges and arbitrary execution of code.

Attacks on SMB servers allow the attacker to send malicious packets to the targeted network. The hacker will, in the case of clients, persuade the user to connect to a malicious SMB server.

Microsoft warned when it disclosed the vulnerability that it is wormable, which makes it particularly dangerous. In March the firm released patches and workarounds.

Shortly after its release, researchers started releasing PoC exploits for CVE-2020-0796, but the exploits only achieved DoS, or privilege escalation. Some companies and researchers reported they had developed exploits that managed to execute remote code, but none of them were made public.

However, a researcher who uses the online alias Chompie published an SMBGhost exploit last week to execute remote code. The researcher released it for “educational purposes,” claiming that in the coming days the cybersecurity company ZecOps was about to update its PoC and the patch was usable for months.

Chompie said the PoC wasn’t reliable and would often cause the system to crash, but several experts have confirmed that the execution of remote code is working.

On Friday, CISA advised users and administrators to install SMBGhost patches and block SMB ports using a firewall, and warned the vulnerability was exploited in the wild.

“While Microsoft disclosed and issued updates for this vulnerability in March 2020, according to recent open-source reports, malicious cyber actors target unpatched systems with the latest PoC,” CISA said.

Researchers previously warned that SMBGhost had been exploited by various pieces of malware to escalate privileges and spread locally, but now it appears the vulnerability is also being exploited for remote code execution. No specifics appear to be available about what exactly the attackers are doing.

The malware research group MalwareMustDie reported that the latest attacks also leveraged an open source tool that helps users identify SMBGhost affected servers.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.