SMB shares exposed to the internet. Just....... Why?
They don't have to have been exposed to the internet globally, just exposed to one external machine that itself is compromised. Management says give X access or its your ass, you lock down access so it is literally just to machine X, but if X gets hit then you're hit. It really is a case of just one weak link is enough. But management will never understand why security wants to be so doctrinaire and inflexible when its 'obvious' that one little exception, properly managed, will be OK... Really.