Google Chrome users on Windows are advised to disable automatic downloads in the web browser to protect authentication data against a new threat discovered recently.
The Chrome browser is the most popular browser right now on desktop devices. It is configured to download safe files automatically to the user system without prompt by default.
Any file that Chrome users download that passes Google's safe browsing checks will land in the default download directory automatically. Chrome users who want to pick the download folder instead for downloads need to change that behavior in the options.
The new attack, described in detail on the Defense Code website, combines Chrome's automatic download behavior with Windows Explorer Shell Command File files that have the .scf file extension.
The aging format is a plain text file that includes instructions, usually an icon location and limited commands. What's particularly interesting about the format is that it may load resources from a remote server.
Even more problematic is the fact that Windows will process these files as soon as you open the directory they are stored in, and that these files appear without extension in Windows Explorer regardless of settings. This means that attackers could easily hide the file behind a disguised filename such as image.jpg.
The attackers use a SMB server location for the icon. What happens then is that the server requests authentication, and that the system will provide that. While password hashes are submitted, the researchers note that cracking those passwords should not take decades anymore unless they are of the complex kind.
Regarding password cracking feasibility, this improved greatly in the past few years with GPU-based cracking. NetNTLMv2 hashcat benchmark for a single Nvidia GTX 1080 card is around 1600 MH/s. That's 1.6 billion hashes per second. For an 8-character password, GPU rigs of 4 such cards can go through an entire keyspace of upper/lower alphanumeric + most commonly used special characters (!@#$%&) in less than a day. With hundreds of millions leaked passwords resulted from several breaches in the past years (LinkedIn, Myspace), wordlist rule-based cracking can produce surprising results against complex passwords with more entropy.
The situation is even worse for users on Windows 8 or 10 machines who authenticate with a Microsoft account, as the account will provide the attacker with access to online services such as Outlook, OneDrive, or Office365 if used by the user. There is also the chance that the password is reused on non-Microsoft sites.
Antivirus solutions are not flagging these files right now.
Here is how the attack goes down
- User visits a website which either pushes a drive by download to the user system, or gets the user to click on a specially prepared SCF file so that it gets downloaded.
- User opens the default download directory.
- Windows checks the icon location, and sends authentication data to the SMB server in hashed format.
- Attacks may use password lists or brute force attacks to crack the password.
How to protect your system against this attack
One option that Chrome users have is to disable automatic downloads in the web browser. This prevents drive by downloads, and may also prevent accidental downloads of files.
- Load chrome://settings/ in the browser's address bar.
- Scroll down and click on the "show advanced settings" link.
- Scroll down to the Downloads section.
- Check the preference "Ask where to save each file before downloading".
Chrome will prompt you for a download location each time a download is initiated in the browser.
While you add a layer of protection to Chrome's handling of downloads, manipulated SCF files may land in different ways on target systems.
One option that users and administrators have is to block ports used by SMB traffic in the firewall. Microsoft has a guide up that you may use for that. The company suggests to block communication from and to the Internet to the SMB ports 137, 138, 139 and 445.
Blocking these ports may affect other Windows services however such as the Fax service, print spooler, net logon, or file and print sharing.
Now You: How do you protect your machines against SMB / SCF threats?