From Bleeping Computer: Hackers Can Steal Windows Login Credentials Without User Interaction
To summarise, configuring SMB sharing without the use of a password opens a vulnerability that has been patched only in Windows 10 that allows a malicious agent to steal Windows credentials by use of a specially crafted file.
I've been on the record here for not turning off password protected sharing, so I wanted to make sure that techs who have put unprotected shares in customer environments to know that this may be an issue.
Bookmarks