SMBGHOST - CVE-2020-0796 CVE-2019-19781 CVE-2020-0796 is a buâfer o eræfo ulnerabilit that e ists due to an error in the a the vulnerable Microsoft Server Message Block (SMB) protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems. In addition, researchers noted the ulnerabilit could be e ploited in a “ ormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. Of note, the ulnerabilit onl aâfects SMB 3, hich is the latest ersion of the SMB protocol that exists only in recent versions of the Windows operation system. Thus, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and speciåfcall the follo ing builds of both OS ersions: 1903 and 1909. In June 2020, CISA warned that threat actors are targeting unpatched systems with a new PoC. 19 If we compare CVE-2020-0796/SMBGhost (received 52 posts in the past year) to CVE- 2020-1472/Zerologon (received 38 posts in the past year) that is mentioned above, it is interesting to see that there are probably less news reports about incidents involving the exploitation of SMBGhost. CVE-2019-19781 aâfects the Citri Application Deli er Controller (ADC), formerl known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the aâfected computer. Since the vulnerability has been disclosed, it was successfully exploited by: 1. Ransomware gangs, such as REvil, Ragnarok, DoppelPaymer, Maze, and Nephilim in a signiåfcant number of incidents. 20 2. Nation-state groups, such as the Russian APT29 group and the Chinese APT 41 group, ho used e ploits abusing this æfa for initial access to targeted organi ations in multiple industries, such as åfnancial, go ernment, defense and healthcare, in global campaigns. 21 https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796; https://www. scmagazine.com/home/security-news/vulnerabilities/cisa-warns-attackers-are-using-exploit-code-for-smbghost-bug/; https:// techxplore.com/news/2020-06-homeland-windows-worm.html https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/; https:// .bleepingcomputer.com/ne s/securit /doppelpa mer-hacked-bretagne-t-l-com-using-the-citri -adc-æfa /; https:// . infosecurit -maga ine.com/ne s/it-ser ices-åfrm-conduent-felled/; https:// .bankinfosecurit .com/nephilim-ransom are-gangtied- to-citrix-gateway-hacks-a-14480; https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp https:// .åfree e.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-e ploits.html; https://attack.mitre.org/groups/G0096/; https:// .ncsc.go .uk/åfles/Ad isor -APT29-targets-COVID-19- accine-de elopment-V1-1. pdf; https://attack.mitre.org/groups/G0016/ 19. 20. 21. 8 Vulnerability Threat Intelligence Report