A researcher in China has discovered a design flaw in Microsoft Windows that affects all versions of the operating system using NetBIOS spoofing —including Windows 10— and lets an attacker hijack your organization’s network traffic with a simple social engineering attack. It can be exploited silently with a near perfect success rate.

The scenario is very simple, the bad guy just uses social engineering to trick  an employee into visiting a malicious web page via IE or Edge or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, but in the background it will hijack your network traffic including things like Windows Updates.

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu said in an interview with DarkReading conducted via email. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years.”

Microsoft this week issued a patch for the so-called “BadTunnel” bug found by Yang Yu, director of Xuanwu Lab of Tencent in Beijing.

The expert classified the BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage it to get access to network traffic without being on the victim’s network. The technique is very insidious and difficult to detect because it doesn’t involve malicious code and allows to bypass firewall and Network Address Translation (NAT) devices.

BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) — all of which when lumped together make the network vulnerable to a BadTunnel attack. DarkReading has the technical details on the attack scenario, it’s a recommended read.

What To Do About It 

  1. As Redmond has patched this, apply the patch ASAP after you have tested it.
  2. Disable NetBIOS over TCP/IP
  3. Step all users through effective security awareness training that includes simulated phishing attacks