Shut Down SMBv1, Already!

Ok, what is SMBv1?

SMBv1 (or SMB1) was the first version of the popular SMB/CIFS file sharing network protocol that nearly ALL enterprise personnel use on a daily basis. Remember when you used Windows PCs, and had the "X" drive or the "Z" drive that you could use to just store files "up on the network"? Anytime you moved files between the "network drive" and your local Windows PC, you were using SMB/CIFS under the covers.

There have been a couple different versions of SMB/CIFS over the years. Most predominate nowadays is the SMB2 version (and in many organizations now the SMB3 version). SMB1 was developed nearly 30 years ago. Many of our customers and employees weren't even born then!

The bottom line here is that anything that old in the era of "Internet" or "Networking" was quite likely designed without security in mind.

How can SMB1 be exploited for a ransomware attack?

There are TONS of vulnerabilities with SMB1. Wannacry and Petya were prime examples of malware that took advantage of SMB1's weaknesses. If you recall, there was a group called the "Shadowbrokers" that unleashed a whole bunch of vulnerabilities (e.g. ETERNALBLUE, DOUBLE PULSAR, ETERNALROMANCE, etc.). ALL of these were vulnerabilities with SMB1.

What would a hypothetical attack using this vulnerability look like?

It's not hypothetical. It's already happened -> Wannacry, Petya.

How can ExtraHop help remediate this vulnerability?

When Wannacry was discovered, Microsoft quickly released patches to fix the various exploits (e.g. ETERNALBLUE, DOUBLE PULSAR, etc.). That said, much of the prevailing wisdom within security circles is that it's just a matter of time before there are NEW exploits discovered with SMB1. Ultimately, you risk another Wannacry... or worse.

So if SMB1 is old, and full of KNOWN exploits, it really makes sense to move away from this legacy protocol in favor of the newer SMB2 or SMB3 variants.

The problem is, it's pretty difficult to know exactly which machines within an enterprise are still using SMB1. That's where we come in. Based on our SMB/CIFS protocol analysis, we can pretty easily tell our customers which machines are running this legacy protocol. Once they know where it is in use, it's a pretty straightforward process to disable it.

I'd recommend you peruse this article published by Microsoft. It does get fairly into the weeds, but the tone/language used in the article, by Microsoft no less, implies that customers REALLY REALLY need to disable SMB1 and move to the newer SMB2/SMB3 protocols.

If you're an existing ExtraHop customer, it's pretty easy to audit your environment for SMB1. Click here and follow the instructions to install our bundle for detecting SMB/CIFS versions. And as always, feel free to contact your ExtraHop account team or Technical Support for questions or assistance.