Incident Response, TDR, Vulnerability Management

Researchers identify attack technique, all Windows versions at risk

Researchers with Cylance have identified a new attack technique – built on a vulnerability identified nearly 20 years ago by Aaron Spangler – that can enable the theft of user credentials from PCs, tablets and servers running any version of Windows, according to a Monday post by Cylance.

The “Redirect to SMB” technique involves intercepting HTTP requests – which are used by many software products and can be intercepted via man-in-the-middle (MitM) attacks – and redirecting victims to a malicious Server Message Block (SMB) server, a Carnegie Mellon University CERT advisory indicated.

“If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server,” the advisory said.

Cylance identified 31 exploitable software packages, some of which include Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010, Symantec's Norton Security Scan, BitDefender Free, and Comodo Antivirus, according to the post.

The information that is stolen in the attack includes the victim's username, domain and hashed password, the post stated.

“If the encryption is breakable – the short answer is yes, the long answer is, it's a bit complicated,” Brian Wallace, senior researcher and software engineer with Cylance's SPEAR Team, told SCMagazine.com on Monday. “The encryption method was created in 1998. At the time it was quite secure, but hardware and software being used to crack these hashes has grown by leaps and bounds since 1998.”

A password eight characters long, with a mixture of uppercase and lowercase letters and any numbers, should take about nine and a half hours to crack using today's technologies, Wallace said. He explained that cracking the password could enable access to a computer, a corporate network and – in Windows 8 and Windows 10 – access to Windows Live accounts.

Wallace said that the attack can occur invisibly, with no user interaction.

“The Cylance research shows that instead of waiting for the user to open their browser or manually connect to a network share, an attacker can look for automated HTTP requests sent by background applications and redirect these to file:// URLs, triggering a SMB connection and automatic authentication,” HD Moore, chief research officer with Rapid7, said in a statement emailed to SCMagazine.com on Monday.

He added, “Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks.”

Application developers can help address the issue by not using vulnerable functions, Wallace said, explaining that the best current workaround is to block outbound traffic from TCP 139 and TCP 445 – at the endpoint firewall or network gateway's firewall. Cylance provided additional mitigation strategies and further information on the attack in a whitepaper.

“We don't agree with Cylance's claims of a new attack type,” a Microsoft spokesperson told SCMagazine.com in Monday statement. “Cybercriminals continue to be engaged in a number of nefarious tactics. However, several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.