Jump to content

SMB.Attack.Bruteforce


Recommended Posts

Hello,

I have an Eset notification on a windows server this morning, about a "SMB.Attack.Bruteforce" :

Event : Security vulnerability exploitation attempt 
Action : Blocked
Source : [fe80::350:xxxxxxxxxxx]:60384
Target : [fe80::26e3xxxxxxxxxxx]:445
Protocol : TCP
Rule : SMB.Attack.Bruteforce
Application : System

Do you have any idea what could be causing this alert?

Thanks in advance.

Regards

 

Link to comment
Share on other sites

  • Administrators

The machine fe80::350:xxxxxxxxxxx attempted to log in for a share 40 times using an invalid U/P in less than 10 minutes.

Link to comment
Share on other sites

Thanks for your answer.

What do you mean by U/P ? User/Pwd ?

How to find the machine fe80::350:xxxxxxxxxxx ?  It's an IPv6 adress, and i use only IPv4 adresses ?

Link to comment
Share on other sites

  • Administrators

If one attempts to access an SMB share, the system requires a username and password to allow access. You should see the brute-force attack in a Wireshark log as well.

Link to comment
Share on other sites

4 hours ago, Tchenkko said:

How to find the machine fe80::350:xxxxxxxxxxx ?  It's an IPv6 adress, and i use only IPv4 adresses ?

Refer to this posting in regards to how malware can install an IPv6 network interface: https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread;

Quote

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

Edited by itman
Link to comment
Share on other sites

25 minutes ago, Tchenkko said:

How are you sure it is malware?

I have checked the machine with Eset and Mbam, and nothing found.

 

At this point, I am not sure the source is malware based; I just gave an example.

Check the server's network adapter settings in Windows. Is IPv6 enabled?

Link to comment
Share on other sites

  • Administrators

If you can reproduce the detection, carry on as follows:

  1. Enable advanced logging under Help and support -> Technical support
  2. Reproduce the detection (should not take long to keep the logs relatively small)
  3. Stop logging
  4. Collect logs with ESET Log Collector and upload the generated archive here.
Link to comment
Share on other sites

IPv6 was actived. I have disable it.

After a few hours, same alert but with ipv4 adress.

On my Server windows logs, i can see many entries on security events :

Audit failure (event ID 4625) : NULL SID, user unknown or incorrect password, NtLmSsp 

Link to comment
Share on other sites

5 hours ago, Tchenkko said:

After a few hours, same alert but with ipv4 adress.

Are the source or target IPv4 address a multicast one; i.e. 224.xxx.xxx.xxx?

Link to comment
Share on other sites

I finally found the origin of the problem. In fact I have a user who opened an autocad file. But this file included a link to another reference file, stored on a network share prohibited for the user. ESET was intercepting 50+ attempts to access the directory as an SMB bruteforce attempt. And no luck, the user had IPv6 enabled, so I couldn't figure out which machine was messing up. So no trace of malware for now, but an improbable configuration... Thanks guys for your advice and your time.

And have a good day !

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...