https://www.infosecurity-magazine.com/news/flawedammyy-rat-takes-over-desktops/ A bit more detail from the ProofPoint article: https://www.proofpoint.com/us/threa...ource-code-ammyy-admin-turned-flawedammyy-rat Great example of SMB being used malicious - no exploit needed.
Is it possible to disable SMB all versions in Windows 7 Pro/Ultimate and W10 Pro ? How ? Thanks for any tips/links Ska
The same recommendation for previous SMB based attacks applies to this attack. That is port 137-139 and 445 inbound and outbound traffic be limited by firewall to local network IP addresses; i.e usually 192.160.0.0 - 192.168.0.255 or 192.160.1.0 - 192.168.1.255. This is especially true for Win 7 where port 445 is not locked down as it is in later Win OS vers.. Also care needs to taken not to block any security solution localhost proxy connections through these ports in so employed. Additional mtigations would be to use a security solution with IDS protection and configure it to deny access to Admin shares via SMB protocol.
FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle March 2, 2019 https://securityaffairs.co/wordpress/81857/malware/flawedammyy-undetected-xlm-macros.html
Microsoft Warns about the new Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents June 25, 2019 https://gbhackers.com/microsoft-warns-flawedammyy-rat/