<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3amicrosoftserver_message_block1.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:45:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3amicrosoftserver_message_block1.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>SMB (Windows File Sharing) Activity from the Internet</title><link>https://feed.craftedsignal.io/briefs/2026-07-smb-from-internet/</link><pubDate>Fri, 03 Jul 2026 15:45:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-smb-from-internet/</guid><description>Detection rule identifies inbound Windows file sharing (SMB/CIFS) traffic originating from the Internet to internal hosts, posing a critical initial access risk due to potential exploitation of vulnerabilities like CVE-2017-0144 (EternalBlue).</description><content:encoded><![CDATA[<p>This brief addresses the critical security risk of Windows Server Message Block (SMB) file sharing services being directly exposed to the internet. SMB (operating on TCP ports 139 and 445) is a fundamental component of Windows networking, designed for local network communication. Its direct exposure to the public internet is a severe misconfiguration, creating a primary target for threat actors seeking initial access. This exposure is a direct precondition for exploitation of well-known vulnerabilities, such as MS17-010 (EternalBlue, CVE-2017-0144), which has been leveraged in widespread attacks like WannaCry and NotPetya. The detection focuses on network events where inbound SMB traffic originates from a public IP address destined for a private internal IP, signifying a direct internet connection to an internal SMB service. Organizations must actively prevent this exposure to mitigate significant attack vectors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>External Reconnaissance</strong>: Threat actors conduct internet-wide scans for publicly accessible hosts with open SMB ports (TCP 139 and 445).</li>
<li><strong>Initial Access</strong>: An attacker initiates an SMB connection from a public IP address to a vulnerable internal host that has its SMB service inadvertently exposed to the internet.</li>
<li><strong>Exploitation of Public-Facing Application</strong>: The attacker leverages known critical SMB vulnerabilities (e.g., EternalBlue, MS17-010 / CVE-2017-0144) to gain remote code execution on the exposed Windows system.</li>
<li><strong>Execution</strong>: Upon successful exploitation, the attacker executes arbitrary commands, deploys backdoors, or stages additional malware on the compromised host, leading to process creation events or new services.</li>
<li><strong>Persistence</strong>: The attacker establishes a persistent foothold within the network, often by creating new services, modifying registry run keys, or using scheduled tasks to maintain access.</li>
<li><strong>Impact</strong>: The attacker proceeds with post-exploitation activities, which can include sensitive data exfiltration, deployment of ransomware (such as WannaCry or NotPetya), or lateral movement to further compromise the internal network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The direct exposure of SMB services to the internet has catastrophic consequences, as demonstrated by previous global cyberattacks. Successful exploitation leads to unauthenticated remote code execution (RCE) on the vulnerable Windows system, granting attackers full control. This can result in widespread network compromise, including encryption of critical data by ransomware (e.g., WannaCry, NotPetya), complete data exfiltration, system destruction, and significant operational disruption. Financial and reputational damage for affected organizations can be immense. The potential victim scope includes any organization or individual with an internet-facing SMB service, regardless of size or sector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule included in this brief to your SIEM, ensuring network flow or firewall log data is ingested and correlated.</li>
<li>Immediately close inbound TCP ports 139 and 445 at the firewall or security group level for all public-facing interfaces to prevent any inbound SMB traffic from the internet.</li>
<li>Patch CVE-2017-0144 (MS17-010) and all related SMB vulnerabilities on all Windows hosts, prioritizing those with potential internet exposure.</li>
<li>Audit all NAT and firewall rules to identify and remediate any misconfigurations that inadvertently expose internal SMB services.</li>
<li>If a detection fires from the provided Sigma rule, investigate the destination host for signs of compromise, such as unexpected processes or new services, and isolate it if necessary.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>initial-access</category><category>network</category><category>windows</category><category>smb</category><category>vulnerability</category><category>ms17-010</category></item></channel></rss>