A researcher in China has discovered a design flaw in Microsoft Windows that affects all versions of the operating system using NetBIOS spoofing —including Windows 10— and lets an attacker hijack your organization’s network traffic with a simple social engineering attack. It can be exploited silently with a near perfect success rate.
The scenario is very simple, the bad guy just uses social engineering to trick an employee into visiting a malicious web page via IE or Edge or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, but in the background it will hijack your network traffic including things like Windows Updates.
“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yang Yu, director of Xuanwu Lab of Tencent in Beijing, said in an interview with DarkReading conducted via email. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years.”
Microsoft this week issued a patch for the so-called “BadTunnel” bug found by Yu. He says BadTunnel can even be exploited through many third-party applications, web pages, emails, USB flash drives and many other channels. It can even impact Web servers and SQL servers. More details can be found on Tencent's site but Yu will detail and demonstrate his complete findings on the Windows flaw in August at Black Hat USA in Las Vegas in his presentation BadTunnel: How Do I Get Big Brother Power?
COME VISIT KNOWBE4 AT BLACKHAT USA 2016 - BOOTH 1566
The expert classified BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage it to get access to network traffic without actually being on the victim’s network. The technique is very insidious and difficult to detect because it doesn’t involve malicious code and allows a bypass of firewall and Network Address Translation (NAT) devices.
BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) -- all of which when lumped together make the network vulnerable to a BadTunnel attack. DarkReading has the technical details on the attack scenario, it's a recommended read.
What To Do About It
- As Redmond has patched this, apply the patch ASAP after you have tested it.
- Disable NetBIOS over TCP/IP
- Step all users through effective security awareness training that includes simulated phishing attacks.
As a start, you could send a no-charge Phishing Security Test (PST) to all your employees and find out what your organization's Phish-prone percentage really is. Often an unpleasant surprise, but a great way to start budget discussions. Get started with your PST now:
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://www.knowbe4.com/phishing-security-test-offer
