A recent vulnerability discovered in the Windows RPC service, which received CVE-2022–26809, moved the cybercrime world in the search for targets that could be exploited, even emerging as the most sought after service in Hacknet reports, a project developed and maintained by the Brazilian company NetSensor, and which analyzes malicious activities in different parts of the world.
The reasons for all this movement are clear — after all, the vulnerability brings together, according to Microsoft's own data, a conjuncture of characteristics that are practically irresistible for any attacker: Network attack, low complexity, no need for privileges, no need for user interaction and with a high degree of breach of confidentiality, integrity and availability, that is, breach of “all” pillars of Information Security (CID).
Despite the “hunt” for the CIFS sharing service having reached the top of the rankings a few days after the vulnerability was disclosed, HackNet already identified this service as a constant figure among the “top 3” most searched services in its daily reports.
Assuming that a service would not be so sought after, and for so long, if there was not a great possibility of carrying out some type of exploration with a high level of commitment, NetSensor carried out an investigation into the exposure and fragility of this service. on the Internet, reaching frightening results, although they should not surprise most security professionals.
Among the most critical and frightening items are:
A large number of service exposures, probably without the real need, either due to carelessness during implementation, or a poor choice of solution used to meet a specific demand.
Services allowing enumeration of available shares.
Shares with public access (guest) containing sensitive and highly confidential data, among which we can mention:
Personal data of customers and suppliers, including bank details;
Corporate information, including financial and product details;
System source codes, including some with write permission;
Backups of entire databases, reaching the exposure of terabytes of data from the same company.
The much desired system access credentials, various technology management portals and Clouds, among others
It may seem like a cliché, something trivial, but unfortunately it is not:
"Review unnecessary exposures of CIFS and RPC sharing services."
Although there are several vulnerabilities in services and market applications, the biggest vulnerabilities continue to be inserted by people, whether due to carelessness, lack of knowledge or short delivery times, the fact is that in this scenario I see a new "bubble" forming in the market , which I have called “the security bubble”. But that is a subject for a future article.