BLOG: 12 Vulnerabilities of Christmas – CVE-2020-0796 A.K.A SMBGhost
CVE-2020-0796 is a critical vulnerability affecting the SMB protocol originally disclosed in March 2020. Due to its potential “wormability” similar to the EternalBlue vulnerability used by WannaCry to rapidly spread, threat actors have been using it to target vulnerable organisations. Orpheus has calculated a maximum 100/100 Orpheus Vulnerability Score (OVS) due to the ease of exploit and its potential impact.
CVE-2020-0796, aka “SMBGhost” or “CoronaBlue”, is a vulnerability affecting different versions of Windows 10 and Windows server which stems from a vulnerability in the SMBv3 file-sharing protocol. SMBGhost allows threat actors to achieve Remote Code Execution (RCE) on compromised hosts through a specially crafted SMBv3 packet sent from an SMB server controller by attackers. Initial details around the vulnerability were accidentally leaked by Microsoft through a security advisory, alerting researchers that a new vulnerability would be patched in the coming days.
Microsoft then patched the vulnerability on 12 March, re-uploading the leaked advisory. The initial leak stoked the fears of researchers, who raised concerns around this potentially “wormable” vulnerability which would allow threat actors to effectively compromise a series of hosts autonomously. Malware would be able to contagiously continue spreading from one network to the other, similarly to malware leveraging CVE-2019-0708, which was the object of one of the earlier blogs of this series.
As with other CVEs examined in this series, crypto-jacking malware and associated threat actors were the first actors to leverage the vulnerability. A known cyptojacking malware dubbed “Lemon_Duck” rapidly integrated the SMBGhost exploit into its arsenal, with signs of the vulnerability being exploited by the malware as early as June 2020. This further demonstrates that opportunistic threat actors like cypto-jacking cybercriminals are usually the fastest actors to operationalize severe vulnerabilities in order to gain an advantage on their competitors. More sophisticated actors, such as state espionage units, are likely to have integrated the exploit into their arsenal but will be disciplined with its potential exploitation, for example in the context of a cyber espionage operation, or chain it with other vulnerabilities.
Orpheus analysts have been able to explore recent activity around malware uploaded to the repository VirusTotal that integrate the SMBGhost exploit, and were able to find 963 distinct malware samples uploaded to the platform in the last 3 months that leverage the vulnerability. Among these, a large number have been attributed to ransomware strains like Gandcrab, indicating that ransomware operators have integrated the exploit into their arsenal as well. While Gandcrab claims to be defunct, the re-use of its code in newer strains like Sodinokibi may indicate that these samples are indeed related to the latter.
Figure 1: Malware signature detection of malware using SMBGhost in the last 3 months- Ransomware strains derived from Gandcrab remain the main signature detected
Figure 1: Malware signature detection of malware using SMBGhost in the last 3 months- Ransomware strains derived from Gandcrab remain the main signature detected
While these samples indicate that current exploitation of SMBGhost is indeed continuing long after the initial publication of the vulnerability and associated exploits, we can see from the volume of samples submitted in the last three months that this is a decreasing trend. This may be due to an increasing number of organisations patching vulnerable servers, which provides less incentive for threat actors to exploit the vulnerability in their malware. While active development of malware strains leveraging CVE-2020-0796 continues, we assess that threat actors are likely to focus on leveraging other critical vulnerabilities in the future.
Figure 2: While interest in exploiting SMBGhost remains high, the volume of malware including related exploits is receding over time as organisations patch vulnerable hosts
Continued interest in the vulnerability of cybercriminals is made evident by activity on the dark web, as cybercriminals continue discussing the vulnerability and how to successfully exploit it. The following forum Russian-speaking members were seen discussing the vulnerability and sharing exploit code in September:
Figure 2: While interest in exploiting SMBGhost remains high, the volume of malware including related exploits is receding over time as organisations patch vulnerable hosts
In addition to continued interest by threat actors to exploit this vulnerability, a significant number of hosts worldwide are still vulnerable to SMBGhost. Shodan data shows that 128,382 hosts worldwide are still vulnerable, with a majority located in Taiwan (29,459), Japan (26,493), Russia (15,280) and the United States (9,299).
Figure 3: Russian-speaking members of an underground forum discussing SMBGhost exploit code
In light of continued interest by cybercriminals, ongoing development of malware leveraging SMBGhost exploits, and a significant number of vulnerable hosts worldwide, Orpheus has attributed a maximum OVS score of 100/100 to CVE-2020-0796.
In light of continued exploitation of this critical vulnerability, we recommend that organisations using Windows 10 or Windows Server 2016 apply the following mitigation tactics:
Use relevant scanners to determine if your systems are vulnerable to SMBGhost in order prioritize further mitigation and patching[1][2][3]
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
