Corporate Network Credential Harvesting
The US National Cybersecurity & Communications Integrations Center (NCCIC) recently issued advice that all organizations should block outbound Server Message Block (SMB) traffic at the firewall – Ports 137/139/445.
A recent hack has been identified that leverages Window’s ability to automatically log on to remote devices when connecting to a share.
This is very useful when connecting to devices within your corporate network, however it is a huge security hole when used by a hacker.
The hacker will send an email/spearphishing attack that contains an attachment or link to a remote server. When the file is opened or link clicked or in some cases even the email opened, a Windows workstation will send hash (simple encryption) containing your credentials, attempting to automatically authenticate to the remote share.
The remote server simply captures this hash and then using many easily available free tools on the internet the attacker can reverse to hash to get the user’s credentials.
We cannot think of any legitimate reason you should be sending SMB traffic outside your corporate firewall, so we strongly recommend you block all outbound SMB traffic at your firewalls.
Ashley Leonard, CEO