Why no Workstation Needs Inbound SMB
How cybercriminals are reaching business networks involving the abuse of open inbound SMB ports which are vulnerable to the ‘Eternal-family’ line of exploitable vulnerabilities.
What we're seeing
Malicious cyber actors are absolutely relentless, and they show no signs of slowing down.
The negative impacts of cybercriminals continuously destabilize business strategies, rattle customer confidence and decrease business profits. To better understand recent cybercriminal activity, potential business impact ramifications, primary attack vectors, and industry best practices for network defense, it is prudent to review cybersecurity trends to determine how past actions may inform future security considerations.
This article will lend an initial focus on lateral movement techniques, which involve a common file-sharing service and other protocols that leverage a Server Message Block (SMB) connection. The article will wrap up with additional security considerations businesses may take to secure SMB services and associated network communications.
Businesses are experiencing repeat breaches.
According to research published by IBM in 20221, cyber security breaches cost businesses approximately $4.5 million USD per event. This data comes from a sampling of over 500 individually impacted businesses across seventeen countries, geographic regions, and an equal number of industries. A majority of businesses surveyed experienced repeat breaches, leading to undesired price increases passed onto their customers1. Increased cyber breach activity typically involves decisions relating to insecure network architectures and protocols that communicate to or between workstations, including Active Directory adjacent ports, which may allow unnecessary file sharing.
Factors that can assist businesses with reducing the impacts and costs of cyber breaches include several continuous monitoring and risk identification strategies, including the use of network monitoring tools, Extended Detection and Response (XDR) solutions, and innovative security practices in the form of Continuous Penetration Testing (CPT).
How are hackers exploiting open inbound SMB ports?
A historically popular method used by cybercriminals to breach business networks involves the abuse of open inbound SMB ports, which are vulnerable to the ‘Eternal-family’ line of exploitable vulnerabilities (EternalSynergy, EternalRomance, etc.)2 or social engineering attacks such as phishing. Following the initial compromise, attackers will attempt to escalate their available access and then move laterally within and across the victim network.
Inbound SMB ports available on workstations provide malicious actors an ideal lateral movement vector, as an already widely abused path useful for detection evasion, looting of sensitive data, and introduction of malware is available.
Once administrator-level permissions are obtained, attackers can attempt to locate and map, within their machine, default windows shares of other devices, like c$
, admin$,
or IPC$
3. The process may be repeated on other machines, or new tactics may be adopted to achieve full network compromise.
How exactly are cybercriminals moving laterally across hosts without being noticed?
Cybersecurity firm Crowdstrike noted ransomware incidents throughout 2022 saw increased use of the Impacket toolkit (wmbexec, wmiexec, etc.) to silently invade SMB shares and carry out malicious attacks4. Impacket-Wmiexec, in particular, abuses a suite of default protocols and native windows services used for standard administrative tasks like Windows Management Instrumentation (WMI), the Distributed Component Object Model (DCOM), Remote Procedure Calls (RPC), and administrative SMB shares to provide a difficult to detect lateral movement vector as depicted above when done correctly.
Following initial device compromise, and successful elevation to local administrator access, paired with administrative SMB shares, Wmiexec achieves connectivity to other workstations or servers using DCOM/RPC over TCP port 135. Responses from compromised machines to the threat actor are sent using SMB ports.
Tools like Wmiexec also require the tool to spawn certain sequences of system processes that allow lateral movement to go unnoticed unless defenders are vigilant about the particular parent and child processes created by Wmiexec. Crowdstrike noted further that parent processes of wmiprivse.exe
with child processes of cmd.exe
or powershell.exe
serve as immediate indicators that lateral movement via Wmiexec is occurring within the environment4.
How do I prevent compromise and lateral movement while using SMB?
Pivoting to potential security approaches to reduce compromise and lateral movement using SMB, let's assume a decision is made to disallow inbound SMB port connections to workstations. How can the business obtain near real-time intelligence and assurances that the SMB attack surface is sufficiently managed and monitored over time? Scheduled vulnerability scanning, traditional penetration testing, or annual control assessments using company policy as a baseline are fantastic approaches for managing enterprise security and adding defense in depth.
The potential downfalls to these approaches lie in their infrequent execution, which may leave businesses exposed to critical security risks for extended periods of time. An emerging approach allowing businesses to better manage risks such as inappropriate inbound SMB port connections is Continuous Penetration Testing (CPT). With CPT, manual testing is performed to detect the exposure of remote access services like SMB on your internal network. Frequently, Sprocket will find that a firewall policy is deployed to fix this issue, and days later, systems are added to the network that don't enforce this security control. Sprocket is able to detect this change and notify stakeholders immediately to prevent the resurgence of lateral movement vectors.
Remediation Specifics
Here at Sprocket, we recommend that clients disable the SMB service on workstations and potentially servers where it is not required for business operations.
The Windows firewall can block inbound traffic using the following protocols: SMB (445/TCP), NetBIOS (137, 138 UDP), and NetBIOS over TCP (137, 138, 139 TCP). This change can be pushed out via GPO. This a simple procedure documented in depth by Microsoft. Alternatively, some anti-virus and endpoint protections can filter traffic based on a predefined policy set. 5
Some potential downsides to these changes exist, however. In our experience, disabling inbound SMB connections on workstations has little to no effect on business operations. Issues arise when SMB is disabled network-wide, as a large number of Windows server instances will likely require inbound SMB connections to operate properly. Sprocket always recommends that clients audit the usage of the SMB service on servers and then conditionally disable SMB when possible. 6
Summary
In summary, this article addressed some of the risks and attack vectors associated with allowing inbound SMB port connectivity to workstations with an emphasis on lateral movement tools and techniques. High-level avoidance strategies like disallowing SMB on workstations were covered, along with a brief discussion on the traditional methods to achieve defense in depth using monitoring capabilities and traditional penetration testing.
Finally, Continuous Penetration Testing (CPT) was briefly covered, and how this approach is highly useful for augmenting the current security control landscape implemented by the business. The adoption of cutting-edge approaches like CPT allows security teams to spend less effort managing cyber risks while returning greater assurances to their stakeholders that business risks are adequately managed, monitored, and reduced.
References
1 Costs of A data Breach to Businesses - https://www.ibm.com/security/data-breach
2 How SMB is Exploited by EternalBlue - https://www.sentinelone.com/bl...
3 Detecting Lateral Movement via SMB - https://imphash.medium.com/detecting-lateral-movement-101-tracking-movement-smb-windows-admin-shares-through-windows-log-6005e3ba6980
4 Detecting and Preventing Impacket - https://www.crowdstrike.com/bl...
5 Disabling SMB services on Windows devices - https://learn.microsoft.com/en...
6 Auditing SMB usage on Windows devices - https://learn.microsoft.com/en...
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations