Jump to content

Smb.attack.bruteForce


Recommended Posts

Hello,

Out IT shared this document with us saying that one of our computers tried to attach some other computer in the network. But the date is 25 October which is future. Is it possible that this detection was an error?

Best,

Ali from university of Zurich, brain research institute 

DOC-20221022-WA0000..pdf

Link to comment
Share on other sites

  • Administrators

It's unlikely to be FP, the brute-force attack should be visible also in a pcap log created without ESET being installed.

Link to comment
Share on other sites

When we run the ESET, it does not detect any malware in the computer that reported to be causing the brute-force attack. Is this normal?

 

Link to comment
Share on other sites

  • Administrators

It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password.

Link to comment
Share on other sites

So it may not be a malware? Even if we are sure that no human user did an attack? 

Edited by argunsah
Link to comment
Share on other sites

14 hours ago, argunsah said:

But the date is 25 October which is future.

Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues.

Link to comment
Share on other sites

19 hours ago, Marcos said:

It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password.

IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User. 

Link to comment
Share on other sites

17 hours ago, itman said:

Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues.

IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating.

Link to comment
Share on other sites

  • Administrators
19 minutes ago, argunsah said:

IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating.

We might be able to get more info from system logs from the machine that was "brute-force attacked". Will send you more info via a personal message momentarily.

Link to comment
Share on other sites

4 hours ago, argunsah said:

IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User. 

My best guess as to the source of the SMB attack is shown in the below MalwareBytes article excerpt. Namely, there is an infected device on the corp. network that is initiating the SMB attack. I would start with a through inspection of the device showing an invalid date.

Quote

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread

SMB processing uses the SMB protocol. Assumed is this is what Eset is keying off of to determine this was a SMB attack. The SMB protocol uses ports 139 and 445.

What is possible is there was a successful external network RDP attack. This set the stage for a subsequent malware infection that performed the SMB attack.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...