Majority of attacks against SMB protocol attempt to exploit EternalBlue
The Server Message Block (SMB) protocol facilitates shared access to files and printers, and it has been widely used on Windows systems for years, as well as on Linux and Apple systems connecting to networks utilizing SMB. While the current version of the protocol is 3.1.1, backwards compatibility remains a feature in even modern Windows systems, which was enabled by default for years.
This backwards compatibility is significant because older versions of the protocol, especially SMB v1, have been found over the years to have serious vulnerabilities. When systems support these older versions of the protocol, they can be susceptible to attacks that exploit these vulnerabilities. Further, newer vulnerabilities have been found that make this protocol a viable target for attackers. For example, in a recent analysis of attacks over a three-month period, Barracuda researchers found that 91.88% of the attacks on port 445 (the most common SMB port) attempted to use the EternalBlue exploit.
Several vulnerabilities exist and are exploited in the wild against the SMB protocol and its implementations. One such vulnerability, EternalBlue, made the news in 2017, and attempts (and possibly successes) in exploiting this vulnerability continue to this day. While outdated and disabled by default in newer operating systems, enough legacy machines are out there to make exploits against SMB v1 still worth the effort. In addition, other vulnerabilities may exist in more modern versions of SMB, and attackers are continually trying to find ones they can exploit.
Successful exploitation can have a range of consequences. With EternalBlue specifically, the entire system, and potentially even the network it resides on, may become compromised. Because SMB is often part of an intranet, attackers will use various techniques to get through defenses in an attempt to exploit SMB.
WannaCry and other EternalBlue attacks
Three notable SMB vulnerabilities — EternalBlue, EternalRomance, and EternalChampion — made headlines when a hacker group called The Shadow Brokers released a collection of vulnerabilities that they claimed to have stolen from Equation Group, which is suspected by many to be part of the U.S. National Security Agency (NSA). EternalBlue gained infamy when it was used with another tool from the leak known as DoublePulsar to spread WannaCry ransomware. In fact, the five-year anniversary of this attack is coming up on May 12, a reminder of how long these vulnerabilities have been causing serious problems. EternalRomance was also used in a ransomware campaign, this time BadRabbit. EternalChampion was widely used by TrickBot, a very common information stealer and banking Trojan, to spread laterally through a network after a machine was infected.
Despite patches being made available years ago, EternalBlue is still one of the most commonly attempted exploits against SMB, accounting for over 91.88% of the attacks on port 445 (the most common SMB port) that Barracuda researchers observed in their analysis. It is often used in conjunction with other attacks to penetrate network defenses and access SMB within a local network.
In the case of WannaCry, the attack looked for exposed SMB ports (most commonly port 445) that were exposed due to misconfiguration. Once an exposed port was found, EternalBlue was exploited on vulnerable systems to spread a worm throughout the network, ultimately deploying ransomware on infected machines. Luckily for those affected, the ransomware contained a "kill switch" in the form of a domain that would be checked to not exist prior to encryption and spreading across the network. During analysis, a security researcher noticed this domain and that it was not registered. The researcher subsequently registered it, thus stopping the spread of the attack.
More recently, a campaign known as Eternal Silence has been exploiting UPnP vulnerabilities in routers to attempt to exploit EternalBlue and EternalRed (the Linux equivalent) on systems behind routers with UPnP vulnerabilities. UPnP is a feature in many routers to allow for port forwarding, which is often used in conjunction with game consoles to speed up online play. It trades some security provided by the router itself for better connectivity on specific systems within the network.
New vulnerabilities related to SMB are periodically found as well, such as the more recent CVE-2021-44142 that affects Samba — the open-source implementation of the SMB protocol, which is frequently used on Linux and Apple systems. This vulnerability allows an attacker to execute code on the target system, making it a serious risk to affected systems that have not been patched.
Between older systems that are either unpatched or unable to receive further security patches and newer vulnerabilities being found, SMB is a viable target for attackers. Vulnerabilities may be exploited directly through exposed SMB ports, in conjunction with other vulnerabilities that enable an attacker to access internal SMB services, or through phishing attempts containing malware that targets SMB.
How to protect against this threat
Because SMB is often targeted with the various vulnerabilities that exist, ensuring software and operating systems are patched and up-to-date is a key step in protecting against these attacks. In the case of Windows, this may mean updating to a newer version of Windows itself because many older versions no longer receive updates and thus the vulnerabilities can't be patched. This played a large role in the WannaCry campaign where older, vulnerable versions of Windows were being exploited.
When possible, disabling SMB v1 support can also protect against vulnerabilities and the spread of the attack when outdated machines are targeted. If SMB is not needed or used, it can even be disabled entirely on systems to reduce the attack surface.
Properly configured firewalls can also help protect against SMB vulnerabilities by blocking access to these ports as well as potentially detecting and/or preventing exploitation attempts. SMB resources should generally not be available outside the local network, and firewalls can also often allow for setting up VPN access to the resources rather than exposing them publicly. In general, both systems and the network should not allow for public access to SMB ports.
SaaS solutions also exist for sharing files and resources that are generally more secure than SMB and will often handle much of the security patching automatically rather than relying on users or IT to update. These can often allow for easier integration of more robust security practices as well such as Zero Trust Network Access and multifactor authentication.