Thursday 10th December 2020

BLOG: 12 Vulnerabilities of Christmas – CVE-2020-0796 A.K.A SMBGhost

CVE-2020-0796 is a critical vulnerability affecting the SMB protocol originally disclosed in March 2020. Due to its potential “wormability” similar to the EternalBlue vulnerability used by WannaCry to rapidly spread, threat actors have been using it to target vulnerable organisations. Orpheus has calculated a maximum 100/100 Orpheus Vulnerability Score (OVS) due to the ease of exploit and its potential impact.

CVE-2020-0796, aka “SMBGhost” or “CoronaBlue”, is a vulnerability affecting different versions of Windows 10 and Windows server which stems from a vulnerability in the SMBv3 file-sharing protocol. SMBGhost allows threat actors to achieve Remote Code Execution (RCE) on compromised hosts through a specially crafted SMBv3 packet sent from an SMB server controller by attackers.  Initial details around the vulnerability were accidentally leaked by Microsoft through a security advisory, alerting researchers that a new vulnerability would be patched in the coming days.

Microsoft then patched the vulnerability on 12 March, re-uploading the leaked advisory. The initial leak stoked the fears of researchers, who raised concerns around this potentially “wormable” vulnerability which would allow threat actors to effectively compromise a series of hosts autonomously. Malware would be able to contagiously continue spreading from one network to the other, similarly to malware leveraging CVE-2019-0708, which was the object of one of the earlier blogs of this series. 

As with other CVEs examined in this series, crypto-jacking malware and associated threat actors were the first actors to leverage the vulnerability. A known cyptojacking malware dubbed “Lemon_Duck” rapidly integrated the SMBGhost exploit into its arsenal, with signs of the vulnerability being exploited by the malware as early as June 2020. This further demonstrates that opportunistic threat actors like cypto-jacking cybercriminals are usually the fastest actors to operationalize severe vulnerabilities in order to gain an advantage on their competitors. More sophisticated actors, such as state espionage units, are likely to have integrated the exploit into their arsenal but will be disciplined with its potential exploitation, for example in the context of a cyber espionage operation, or chain it with other vulnerabilities.

Orpheus analysts have been able to explore recent activity around malware uploaded to the repository VirusTotal that integrate the SMBGhost exploit, and were able to find 963 distinct malware samples uploaded to the platform in the last 3 months that leverage the vulnerability. Among these, a large number have been attributed to ransomware strains like Gandcrab, indicating that ransomware operators have integrated the exploit into their arsenal as well. While Gandcrab claims to be defunct, the re-use of its code in newer strains like Sodinokibi may indicate that these samples are indeed related to the latter.

Figure 1: Malware signature detection of malware using SMBGhost in the last 3 months- Ransomware strains derived from Gandcrab remain the main signature detected 

Figure 1: Malware signature detection of malware using SMBGhost in the last 3 months- Ransomware strains derived from Gandcrab remain the main signature detected

While these samples indicate that current exploitation of SMBGhost is indeed continuing long after the initial publication of the vulnerability and associated exploits, we can see from the volume of samples submitted in the last three months that this is a decreasing trend. This may be due to an increasing number of organisations patching vulnerable servers, which provides less incentive for threat actors to exploit the vulnerability in their malware. While active development of malware strains leveraging CVE-2020-0796 continues, we assess that threat actors are likely to focus on leveraging other critical vulnerabilities in the future.

Figure 2: While interest in exploiting SMBGhost remains high, the volume of malware including related exploits is receding over time as organisations patch vulnerable hosts 

Continued interest in the vulnerability of cybercriminals is made evident by activity on the dark web, as cybercriminals continue discussing the vulnerability and how to successfully exploit it. The following forum Russian-speaking members were seen discussing the vulnerability and sharing exploit code in September:

Figure 2: While interest in exploiting SMBGhost remains high, the volume of malware including related exploits is receding over time as organisations patch vulnerable hosts 

In addition to continued interest by threat actors to exploit this vulnerability, a significant number of hosts worldwide are still vulnerable to SMBGhost. Shodan data shows that 128,382 hosts worldwide are still vulnerable, with a majority located in Taiwan (29,459), Japan (26,493), Russia (15,280) and the United States (9,299).

Figure 3: Russian-speaking members of an underground forum discussing SMBGhost exploit code 

In light of continued interest by cybercriminals, ongoing development of malware leveraging SMBGhost exploits, and a significant number of vulnerable hosts worldwide, Orpheus has attributed a maximum OVS score of 100/100 to CVE-2020-0796.

In light of continued exploitation of this critical vulnerability, we recommend that organisations using Windows 10 or Windows Server 2016 apply the following mitigation tactics:

  • Use relevant scanners to determine if your systems are vulnerable to SMBGhost in order prioritize further mitigation and patching[1] [2] [3]
  • Apply official Microsoft patches on vulnerable hosts
  • Apply recommended workarounds such as the following PowerShell command, which will disable SMB compression:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force




Get our latest cyber intelligence insights straight into your inbox every week

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.