Go Back   Tech Support Forum > Security Center > General Computer Security

User Tag List

SMB exposure?

This is a discussion on SMB exposure? within the General Computer Security forums, part of the Tech Support Forum category. 2 backup/recovery products leave an open SMB connection after writing a backup to a NAS. Any program running under the


Like Tree1Likes
  • 1 Post By Stancestans
Reply
 
Thread Tools Search this Thread
Old 06-23-2020, 12:34 PM   #1
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



2 backup/recovery products leave an open SMB connection after writing a backup to a NAS. Any program running under the owning userid can access the NAS without providing any credentials. That program's access would be limited to whatever access the backup software had, but it would certainly have access to the backup files.


Both of these products normally open the SMB connection under the userid NT AUTHORITY\SYSTEM. (Any malware running under that authority can certainly do a lot more damage than just corrupting some backup files.) One of the products can optionally open the connection under the userid of the person configuring the backup. (Malware running there could do a lot less damage on the local computer, but would need no special authority to corrupt the backup files.)


I have never seen this discussed before. Is there any malware (and I'm primarily thinking of ransomware) know to use open SMB connection to access user data? Or am I just being overly paranoid?
pokeefe0001 is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 06-23-2020, 04:36 PM   #2
Registered Member
 
xrobwx71's Avatar
 
Join Date: Oct 2019
Location: Panama City Beach, Florida, USA
Posts: 173
OS: Windows 10 Pro 2004

My System


https://blog.malwarebytes.com/101/20...ternalChampion.

https://digital.nhs.uk/cyber-alerts/...n%2012th%20May.
xrobwx71 is offline   Reply With Quote
Old 06-23-2020, 04:52 PM   #3
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



I had already read those, but they talk about how malware exploits vulnerabilities in SMB in order to propagate itself (if I've read them correctly).



I want to know if

  1. any known malware uses open SMB connections to access and manipulate user data
  2. any known malware manages to run under NT AUTHORITY\SYSTEM in order to do its work.
pokeefe0001 is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 06-23-2020, 11:28 PM   #4
Moderator TSF
Hardware Team Moderator
 
Stancestans's Avatar
 
Join Date: Apr 2009
Posts: 5,292
OS: Windows 10



The answer to both questions is YES. Now, the question remains, what are you going to do to keep malware at bay? The Malwarebytes blog page gives you prevention and mitigation measures, but whether you'll adopt them or not is the real question.
Stancestans is offline   Reply With Quote
Old 06-24-2020, 09:26 AM   #5
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



I think I'm relatively careful and I have good anti-malware software, but neither I nor the security package are perfect. And my wife's laptop also uses the NAS for backup so there are multiple sources of exposure. My concern at the moment is making sure I can recover from an attack - especially how to recover two laptops that do not regularly have an external drive attached.



From your response, I'd say I'd best not count on backups to a NAS using SMB.
pokeefe0001 is offline   Reply With Quote
Old 06-24-2020, 10:36 AM   #6
Moderator TSF
Hardware Team Moderator
 
Stancestans's Avatar
 
Join Date: Apr 2009
Posts: 5,292
OS: Windows 10



Quote:
Originally Posted by pokeefe0001 View Post
I think I'm relatively careful and I have good anti-malware software, but neither I nor the security package are perfect. And my wife's laptop also uses the NAS for backup so there are multiple sources of exposure. My concern at the moment is making sure I can recover from an attack - especially how to recover two laptops that do not regularly have an external drive attached.

From your response, I'd say I'd best not count on backups to a NAS using SMB.
There are backup software that have ransomware protection mechanisms, such as locking the backup images so that no other process can alter or delete them. I would like to believe you have done your homework as regards protecting NAS devices from ransomware, but if you haven't, then you should. There's a wealth of information out there. To get you started, see
https://www.novastor.com/blog/protec...rom-ransomware

https://blog.qnap.com/protecting-you...om-ransomware/

and more here https://www.google.com/search?q=nas+...are+protection
Stancestans is offline   Reply With Quote
Old 06-24-2020, 11:35 AM   #7
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



Quote:
Originally Posted by Stancestans View Post
There are backup software that have ransomware protection mechanisms, such as locking the backup images so that no other process can alter or delete them.
Actually, the two backup products I alluded to in my original post both have such protection. That, plus my security product (I use Kaspersky Internet Security) should make me relatively safe. But still, ... .

Quote:
Originally Posted by Stancestans View Post
I would like to believe you have done your homework as regards protecting NAS devices from ransomware, but if you haven't, then you should. There's a wealth of information out there. To get you started, see
https://www.novastor.com/blog/protec...rom-ransomware

https://blog.qnap.com/protecting-you...om-ransomware/

and more here https://www.google.com/search?q=nas+...are+protection
I would also like to believe I've done my homework. Somewhat weak passwords on my admin accounts is probably my greatest NAS sin. But having the backup products leaving the front door wide open (at least to their backup files) sort of pokes a hole in the other security measures.



I have a weekly backup of my "backups" NAS to another NAS, keeping 5 versions of the backup, and with no access between my computers and the backup of the backups. But recovery from that 2nd NAS would be 1-5 weeks old - fine for the operating system, but not so good user data. Much of my user data is kept on a shared NAS - a public share, but with daily backups in multiple locations. But I still want a relatively secure daily backup of user profiles and ProgData ... and I don't have that yet.
pokeefe0001 is offline   Reply With Quote
Old 06-24-2020, 11:53 AM   #8
Moderator TSF
Hardware Team Moderator
 
Stancestans's Avatar
 
Join Date: Apr 2009
Posts: 5,292
OS: Windows 10



Quote:
Originally Posted by pokeefe0001 View Post
But having the backup products leaving the front door wide open (at least to their backup files) sort of pokes a hole in the other security measures.
Are you still talking about the SMB connections used by the backup programs? If the backup programs are protecting those backups from modification by other processes, then you shouldn't worry about the open connections. Keeping the NAS OS/firmware and the SMB protocol updated/patched should take care of the SMB security holes. Besides, those backup software will need to open connections to the NAS for them to do their jobs (reach the target backup medium). You should, instead, be worried about important, unprotected files that are stored on the NAS besides the protected backup images, but said files should also be part of the protected multi-version backups anyway.
xrobwx71 likes this.
Stancestans is offline   Reply With Quote
Old 06-24-2020, 12:53 PM   #9
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



Arrg. I'm getting tired of losing input to this forum when I forget to enable javascript. I just lost an hour's worth of reply. I'll redo it later.




Update: testing javascript
Test #2
pokeefe0001 is offline   Reply With Quote
Old 06-24-2020, 03:07 PM   #10
Registered Member
 
Join Date: Oct 2013
Location: Pacific Northwest, USA
Posts: 45
OS: Win 10 Pro 1909



Quote:
Originally Posted by Stancestans View Post
Are you still talking about the SMB connections used by the backup programs?
Primarily, although I veered off-topic a couple times. And I will again during this posting.
Quote:
Originally Posted by Stancestans View Post
If the backup programs are protecting those backups from modification by other processes, then you shouldn't worry about the open connections.
Well, sort of. Both products protect their files on local (external or internal) drives. Beyond that they rely on known malware signatures and behavior - like security packages do.
One of the products claims to protect NAS-based files from ransomware, but doesn't say exactly what that means (protection from encryption, maybe?) or how they do it. It does not protect their files on a NAS from Windows FIle Explorer or an FTP client from deleting or renaming the files. It does not keep FTP from overwriting the files.
The other product admits it cannot protect its files on a NAS.
Quote:
Originally Posted by Stancestans View Post
Keeping the NAS OS/firmware and the SMB protocol updated/patched should take care of the SMB security holes.
Unfortunately, this open connection problem is not a security hole in the SMB code. It's just how SMB is supposed to work.
Quote:
Originally Posted by Stancestans View Post
Besides, those backup software will need to open connections to the NAS for them to do their jobs (reach the target backup medium).
One of the products supposedly supports FTP to backup to NAS drives. FTP has it's own security problems (such as sending passwords in clear text), but it's connections cannot be used by malware. The FTP connections are between a single instance of the client and the server. Malware would have to start its own FTP connection for its own instance of the client.
However, the product's integration of it's FTP client into the rest of the code is incredibly buggy. And they provide no support for the secure flavors FTP - FTPS and SFTP. (And yes, I know FTPS is not really FTP.)
Quote:
Originally Posted by Stancestans View Post
You should, instead, be worried about important, unprotected files that are stored on the NAS besides the protected backup images, but said files should also be part of the protected multi-version backups anyway.
I think I'm pretty well covered there. One NAS contains only backups created by the backup product(S). The other NAS contains only NAS-to-NAS backups of the 1st NAS plus an FTP copy of the local backups of one of the computers. My two desktop computers take backups to local external drives ... including daily backups of a public share NAS.
Unfortunately, my two laptops have no regularly attached external drives so their backups are taken to the 1st level backup NAS. And that's where my exposure lies.
pokeefe0001 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:19 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts