SMB.Attack.Bruteforce

[Paneliya Mehulkumar 0]

 

[itman 1,659]

Verify that source IP address is one within your local subnet address range. Appears it is.

The source device is repeatedly trying to logon to the target IP address device and failing. This could be due to malware present on the source device. Or, an attacker that has gained remote access to the source device and from it is attempting to gain access to the target device.

[Marcos 5,074]

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ELC logs for perusal.

[Paneliya Mehulkumar 0]

On 12/26/2021 at 5:26 PM, Marcos said:

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ESET Log Collector logs for perusal.

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

[Nightowl 202]

2 hours ago, Paneliya Mehulkumar said:

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

Logs that are uploaded to the forum can only be accessed by ESET Staff , or you could send it to one of their staff through Private Message , if it wasn't possible to upload it to the forum due to the file size , you can upload it to some websites like Google Drive and share the link also with ESET staff

[Paneliya Mehulkumar 0]

SVinod.rar

[Marcos 5,074]

The detection is correct, there's a brute-force SMB attack being performed on 172.17.5.69 against 172.17.5.68:

[Paneliya Mehulkumar 0]

What is the solution for this?

[Marcos 5,074]

4 minutes ago, Paneliya Mehulkumar said:

What is the solution for this?

You should find out why is the attack happening; what is running there that could be causing it.

[Paneliya Mehulkumar 0]

that means you don't have solution ?

 

Can you take remote & check what is happning 

Edited February 28, 2022 by Paneliya Mehulkumar

[Marcos 5,074]

You can try uninstalling  "Winsent Innocenti 3.0.3".

The attacks are performed under the account svk\ST81$, no clue what it could be,

 

[Paneliya Mehulkumar 0]

I have uninstalled and restarted both systems but problem is same

report (13).zip

[itman 1,659]

Do you have SMB ver. 1 disabled on the client devices?

[itman 1,659]

8 hours ago, Marcos said:

You can try uninstalling  "Winsent Innocenti 3.0.3".

Also of note is this software might not be compatible with Win 10:

Quote

Winsent Innocenti works in any version of Windows (8/7/Vista/XP/2000).

https://www.winsentmessenger.com/innocenti/

[Paneliya Mehulkumar 0]

Disabling sbm1 resolved the issue for this system. but we have more systems with the same issue which have different os. sending you logs for two more systems that have win7 and win8 

[Marcos 5,074]

You should find out what is the svk\dkpdkk account which is used in the SMB attack:

 

[itman 1,659]

6 hours ago, Paneliya Mehulkumar said:

but we have more systems with the same issue which have different os. sending you logs for two more systems that have win7 and win8 

This Microsoft article shows how to disable SMBv1 for WIn7/8 plus server OS's: https://docs.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

Additional ref.: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 .

Note this section if applicable to you:

Quote

Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.

 

Edited March 1, 2022 by itman

[itman 1,659]

I will also add that there are know vulnerabilities that exist for SMBv2 such as this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0633 . Most well known is the EternalBlue; aka Wanacry episode, exploit that attacked vulnerable SMBv2 OS versions.

Microsoft has issued patches for these for SMBv2 vulnerabilities for supported OS versions. Time you seriously considering updating your unsupported OS versions.

Edited March 1, 2022 by itman

[Marcos 5,074]

Neither ELC nor ESVC logs were collected with the latest version of the tools so some information and data was not available to me.

For instance, on PG14 I've found the following:

User Account Control (UAC) is disabled.
Recommended action: Enable UAC

Logon events auditing is probably partially (or fully) disabled.
Recommended action: Enable (Launch secpol.msc and in Local Policies -> Audit Policy -> Audit logon events, check both Success and Failure.)

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

 

 

[Paneliya Mehulkumar 0]

On 2/28/2022 at 8:28 PM, itman said:

Do you have SMB ver. 1 disabled on the client devices?

Sorry for wrong observation, but disabling smb1 not resolved issue. Still both system (172.17.5.68>172.17.5.69) have smb attack.

Edited March 2, 2022 by Paneliya Mehulkumar

[Paneliya Mehulkumar 0]

we have collected logs using latest tool & please check

[itman 1,659]

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Quote

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

[itman 1,659]

I will also note that all the screen shots posted to date show a SMBv2 based attack.

Below are links to Microsoft update patches for all known SMBv2 vulnerabilities. If these have not been applied to the noted affected OS versions, you can be exploited by any of these.

Whereas Eset will detect a known exploit attempt and block it, the only way to prevent the exploit activity from occurring is to apply these updates.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0633

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0630

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8444

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0833

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0016

Below are additional SMB vulnerabilities not exclusive to SMBv2:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1206

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28325

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36960

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36972

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36974

Edited March 2, 2022 by itman

[Paneliya Mehulkumar 0]

On 3/2/2022 at 7:17 PM, itman said:

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

We have created a firewall rule as per your instruction & collected logs again ,check it

[Marcos 5,074]

Asking again, what is the account svk\dkpdkk which is performing the brute-force attack?