Everything you need to know about SMB vulnerability | NordVPN (2024)

What is the SMB protocol?

Before answering “what is SMB vulnerability,” it’s useful to know what “SMB” means.

SMB stands for Server Message Block. It’s a protocol developed in the 1980s, mainly responsible for file sharing across networks. Historically, it has been used to connect Microsoft Windows machines, but other operating systems, such as Linux and macOS, are also compatible with it.

For years, hackers targeted the SMB protocol as a medium capable of launching malware attacks and executing arbitrary code. The first version of the protocol – SMB v1 – was full of vulnerabilities that could be easily exploited. Today, the updated protocol is more secure, but SMB v1 exploits continue to happen because many machines still use the old and much more insecure protocol. Therefore, it’s crucial for companies to follow cyber security practices and implement the latest available protocols.

Most common SMB exploits

In general, all SMB exploits have the same goal: to allow an attacker to execute arbitrary code on the targeted computer. Several exploits can be distinguished because they use different vulnerabilities in the SMB protocol. Here are the most popular ones:

EternalBlue

The EternalBlue vulnerability was discovered by the US National Security Agency (NSA) and published in 2017 by The Shadow Brokers (TSB) hacker group. The NSA used the vulnerability in its intelligence-gathering operations, mainly to combat terrorism, because it allowed access to machines operating on Windows XP and Windows 7 systems.

The EternalBlue exploit leverages a weakness in the SMBv1 protocol, allowing hackers to access targeted machines and execute malicious code. EternalBlue has been used in famous attacks, such as WannaCry and NotPetya.

EternalRomance

The EternalRomance SMBv1 vulnerability was also published by The Shadow Brokers. It’s a remote code execution tool exploiting a vulnerability that Microsoft patched in the security bulletin MS17-010. However, it still threatens machines running on older systems such as Windows Server 2003.

EternalRomance triggers a type confusion bug in SMBv1. It was used by the Bad Rabbit ransomware, which appeared in 2017.

EternalChampion

EternalChampion is another vulnerability disclosed by The Shadow Brokers. Attackers used it to access a targeted device by exploiting a race condition in how the SMB protocol handles transactions. It’s still a threat to operating systems up to Windows 8.

EternalSynergy

The EternalSynergy exploit uses an SMB protocol vulnerability code named CVE-2017-0143. It allows an attacker to execute commands on a targeted computer by creating message-type confusion. This exploit can target devices operating on systems up to Windows 8.

SMBGhost (CoronaBlue)

Unlike previous vulnerabilities, SMBGhost is fairly new, only published in 2020. It resides within the SMBv3 protocol and can affect newer systems, such as Windows 10 and Windows Server 1903 and 1909. An attacker exploiting this vulnerability can send a specially designed SMBv3 packet to a vulnerable server. Victims who connect to the server are then exposed to remote code execution.

EternalRocks

EternalRocks may appear to come from the same vulnerability leak as other exploits with “eternal” nicknames, but it was developed later. It’s also not a separate vulnerability but a computer worm, which takes advantage of seven previously leaked NSA exploits:

• EternalBlue
• EternalChampion
• SMBTouch
• DoublePulsar
• EternalRomance
• EternalSynergy
• ArchTouch

EternalRocks works in two steps:

1. EternalRocks downloads the Tor browser to a computer.
2. The Tor browser is commonly used for private internet browsing, but in this case, the malware uses it to take advantage of previously described NSA exploits and download malicious files from a .onion domain.

Being a computer worm, EternalRocks can spread to other devices.

Examples of attacks that exploited SMB

SMB vulnerability exploits have been infamously used in hacker attacks targeting millions of computers worldwide. Most SMB vulnerabilities have been known for a longer time yet still exploited as recently as a few years ago.

Here are the most famous attacks that exploited SMB:

WannaCry

WannaCry was a famous crypto-ransomware attack launched in 2017. It exploited the EternalBlue SMBv1 vulnerability to infect devices with malicious code, which then encrypted the victim’s files and held them hostage until they decided to pay a ransom in Bitcoin. If the victim did not pay the ransom, the attackers threatened to delete their files permanently.

The WannaCry attack affected over 200,000 computers, even though the EternalBlue security vulnerability was already known and patched. The attack harmed so many users because most of them neglected to install updates on their devices or were using old Windows systems that had not received support or security patches anymore.

Petya and NotPetya

The Petya ransomware family was first discovered in 2016. In 2017, hackers used it to launch a cyberattack whose main target was Ukraine, but it affected users and companies around the world.

The NotPetya ransomware received its nickname because of the differences in how it works. It acts like ransomware but has no recovery function, making it a wiper (data-erasing malware).

NotPetya, like WannaCry, exploits the EternalBlue SMB vulnerability.

Stuxnet

Stuxnet is a computer worm initially developed to target Iranian nuclear facilities. It has now been re-developed and used by various hacker groups to attack other facilities, such as water treatment or power plants.

Stuxnet became famous in 2010 not only as the first virus capable of damaging hardware but also allegedly developed by the CIA and Israeli intelligence. It spread via USB flash drives and traveled through closed networks using SMB vulnerabilities, among other things.

Perkiler

Perkiler is a malware linked to Purple Fox, an exploit kit that spreads mainly through phishing campaigns. Perkiler uses a method known as SMB brute force attack, meaning it gains access to infected devices and networks by guessing passwords and usernames until it finds the correct ones. It was discovered in 2021.

Emotet

Emotet is a Trojan horse functioning as a downloader and dropper for other malicious files. First detected in 2014, it was designed to spy on sensitive data. Emotet spreads mainly through phishing emails. After installation, it can propagate itself thanks to its worm-like features and infect other devices in the network using SMB vulnerabilities such as EternalBlue.

SMB security: Tips on SMB vulnerability prevention

Although most SMB vulnerability exploits are known, they still pose a threat. We’ve gathered some tips to help you prevent SMB-associated dangers that might lurk on the web.

• Update your devices. The most famous SMB exploit attacks, such as WannaCry and Petya, were widespread because many users neglected to update their systems. Security patches were already available when those attacks peaked. So learn from history — don’t wait to install system and security updates.
• Implement strong passwords. Hackers perform SMB brute force attacks by guessing passwords. As expected, it’s easier if the password is weak. Always use strong, long passwords with lower- and uppercase letters, numbers, and special characters.
• Secure your connection. Use a VPN, especially when connecting to an unsecured public network. A VPN can increase your protection from various cyber threats, such as man-in-the-middle attacks, which could be used to exploit SMB vulnerabilities.
• Use third-party security software. Antiviruses and anti-malware software increase your protection against many malicious programs, including those leveraging SMB vulnerabilities. Use Threat Protection Pro to avoid dangerous websites and scan the files you download for malware. Also, consider using an SMB vulnerability scanner to detect vulnerabilities that might affect you in the future.