SMBGhost Attacks Spotted After PoC Code Execution Release


The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security has warned Windows users that a recently released proof-of – concept (PoC) exploit for the vulnerability tracked as SMBGhost was misused to launch attacks.

SMBGhost, also known as CoronaBlue and reported as CVE-2020-0796, is a vulnerability associated with Server Message Block 3.0 (SMBv3), specifically related to how SMB 3.1.1 handles some queries. The vulnerability affects Windows 10 and Windows Server and can be used for denial-of – service (DoS ) attacks, escalation of local privileges and arbitrary execution of code.

Attacks on SMB servers allow the attacker to send malicious packets to the targeted network. The hacker will, in the case of clients, persuade the user to connect to a malicious SMB server.

Microsoft warned when it disclosed the vulnerability that it is wormable, which makes it particularly dangerous. In March the firm released patches and workarounds.

Shortly after its release, researchers started releasing PoC exploits for CVE-2020-0796, but the exploits only achieved DoS, or privilege escalation. Some companies and researchers reported they had developed exploits that managed to execute remote code, but none of them were made public.

However, a researcher who uses the online alias Chompie published an SMBGhost exploit last week to execute remote code. The researcher released it for “educational purposes,” claiming that in the coming days the cybersecurity company ZecOps was about to update its PoC and the patch was usable for months.

On Windows, the Purple Fox Malware Squirms Like a Worm

Chompie said the PoC wasn’t reliable and would often cause the system to crash, but several experts have confirmed that the execution of remote code is working.

On Friday, CISA advised users and administrators to install SMBGhost patches and block SMB ports using a firewall, and warned the vulnerability was exploited in the wild.

“While Microsoft disclosed and issued updates for this vulnerability in March 2020, according to recent open-source reports, malicious cyber actors target unpatched systems with the latest PoC,” CISA said.

Researchers previously warned that SMBGhost had been exploited by various pieces of malware to escalate privileges and spread locally, but now it appears the vulnerability is also being exploited for remote code execution. No specifics appear to be available about what exactly the attackers are doing.

The malware research group MalwareMustDie reported that the latest attacks also leveraged an open source tool that helps users identify SMBGhost affected servers.

Microsoft Fixed 90 Vulnerabilities, Several of the Flaws were Publicly Disclosed
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Work from Home

6 Tips for Cybersecurity While You Work from Home

Next Post

Companies Targeted by Korean Hackers Using the Zeplin Platform

Related Posts