Smb.attack.bruteForce

[argunsah 0]

Hello,

Out IT shared this document with us saying that one of our computers tried to attach some other computer in the network. But the date is 25 October which is future. Is it possible that this detection was an error?

Best,

Ali from university of Zurich, brain research institute 

DOC-20221022-WA0000..pdf

[Marcos 5,071]

It's unlikely to be FP, the brute-force attack should be visible also in a pcap log created without ESET being installed.

[argunsah 0]

When we run the ESET, it does not detect any malware in the computer that reported to be causing the brute-force attack. Is this normal?

 

[Marcos 5,071]

It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password.

[argunsah 0]

So it may not be a malware? Even if we are sure that no human user did an attack? 

Edited October 23, 2022 by argunsah

[itman 1,659]

14 hours ago, argunsah said:

But the date is 25 October which is future.

Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues.

[argunsah 0]

19 hours ago, Marcos said:

It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password.

IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User. 

[argunsah 0]

17 hours ago, itman said:

Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues.

IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating.

[Marcos 5,071]

19 minutes ago, argunsah said:

IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating.

We might be able to get more info from system logs from the machine that was "brute-force attacked". Will send you more info via a personal message momentarily.

[itman 1,659]

4 hours ago, argunsah said:

IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User. 

My best guess as to the source of the SMB attack is shown in the below MalwareBytes article excerpt. Namely, there is an infected device on the corp. network that is initiating the SMB attack. I would start with a through inspection of the device showing an invalid date.

Quote

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread

SMB processing uses the SMB protocol. Assumed is this is what Eset is keying off of to determine this was a SMB attack. The SMB protocol uses ports 139 and 445.

What is possible is there was a successful external network RDP attack. This set the stage for a subsequent malware infection that performed the SMB attack.

Edited October 24, 2022 by itman