The importance of behavioral multi-contextual threat detection
A new set of vulnerabilities found in the SAMBA service protocol highlight the need for approaches that go beyond the simple use of static signature defense technologies. These two vulnerabilities have been disclosed as CVE-2018-1050 and CVE-2018-1057. The first one, CVE-2018-1050, allows denial of service for printing services through failure of the null point checking and subsequent crash. The second one, CVE-2018-1057, allows unprivileged users to reset users’ passwords, including environments where SAMBA is used in Active Directory environments. Every version of SAMBA, with the exception of 4.7.6, 4.6.14, 4.5.16, is affected by both vulnerabilities.
According to the SAMBA official security page, no useful logs currently exist that can be used to monitor password reset. However, it suggests some commands in order to monitor for this attack.
Figure shows suggested monitoring commands *
The page also suggests a number of workarounds, but they need to be applied very carefully, as some of them require disabling or deprecating services that are absolutely necessary for many organizations to function on a daily basis. For example, a large company that depends on LDAP for scanning, indexing, and storing documents cannot possibly disable that service as it would practically cease to operate (think about the legal or healthcare industry).
It is important to point out that these vulnerabilities are likely to be used as post-exploitation payloads, as SMB/SAMBA protocol is not typically exposed to the internet but instead inside the perimeter. The biggest threat, however, is still the ability to reset passwords of any user. This opens the door for malicious actors to pivot, move laterally, or write code within organizations.
Recent cases show how attacking file and sharing printing services is not uncommon, as it was seen in exploits such as EternalBlue and EternalRed/SambaCry, which caused a good amount of compromises and were coupled with Ransomware in many campaigns. These vulnerabilities create a scenario where the combination of being a data hub (SAMBA services) and the ability to possibly change credentials and then execute on it, makes them possible candidates to replicate the past attack vectors mentioned above.
Compromised SMB shares can be used for many malicious activities, such as to steal sensitive information, at rest or in motion in specific devices. They can also be used to pivot and move laterally from unsuspecting devices (NAS, Printers). In addition, many of these types of devices are placed on corporate networks that may allow attackers with these exploits to run code and proceed to execute malicious activities such as cryptomining or installing ransomware and proceeding to demand ransom payments.
The importance of multi contextual behavioral detection
The above scenarios clearly show that organizations that depend solely on static-based/ signature-type defense technologies, would likely miss these types of attacks, as there is practically no visibility through logs or even traffic. Usually, organizations notice a noisy denial of service attack or a reckless attacker in their environment as the first sign. However, this approach is passive with a very low probability of success for recognition.
JASK’s ASOC platform possesses several mechanisms to detect these threats. As outlined above, it’s likely these vulnerabilities will be used as post exploitation payloads. As such, they can be detected as part of exploitation chain. This exploitation chain detection by JASK ASOC allows analysts to place together a visual representation of the elements related to possible exploitation of SMB/SAMBA services.
Figure Shows JASK ASOC Smart Alert
The above figure shows a JASK ASOC Smart Alert where SMB/SAMBA port/service scanning is detected after a user has connected to a suspicious URL shortener, then accessing a file share that this user had not previously accessed before.
This may indicate, depending on this particular user’s patterns and privileges, that a post- exploitation payload may have been used to grant access from the user’s account/device to a targeted device running SMB/SAMBA services. The following figure shows such individual signal.
Figure Shows First Seen Access signal
JASK ASOC can also detect port/service scans of SMB/SAMBA services and display a specific and detailed visual interface that provides analysts with situational awareness. The figure below shows origin and targeted ports/services and hosts.
Figure Shows SMB/SAMBA scanning detection
By providing these simplified situational awareness items, analysts can spot suspicious activity, and even exploitation, without having the attack signatures (which can difficult to obtain), as they are vendor-dependent and many times subjected to publication embargoes.
This approach is far more proactive, simplified and cost effective as it does not rely on signatures, and it provides analysts with meaningful suspicious activity that allows them to focus on actual threats without having to deal with multiple disparate, proprietary technologies or special vendor training, before even making sense of an actual threat.
To access the Threat Advisory click here.
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.