Two weeks ago we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software (re-implementation of SMB networking protocol) that allows a remote hacker to take full control of a vulnerable Linux and Unix machines.
To know more about the SambaCry vulnerability (CVE-2017-7494) and how it works, you can read our previous article.
At that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like WannaCry ransomware widely.
Another security researcher, Omri Ben Bassat, independently discovered the same campaign and named it “EternalMiner.”
According to the researchers, an unknown group of hackers has started hijacking Linux PCs just a week after the Samba flaw was disclosed publicly and installing an upgraded version of “CPUminer,” a cryptocurrency mining software that mines “Monero” digital currency.
After compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems:
- INAebsGB.so — A reverse-shell that provides remote access to the attackers.
- cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.
“Through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware,” Kaspersky researchers say.
Mining cryptocurrencies can be a costly investment as it requires an enormous amount of computing power, but such cryptocurrency-mining malware makes it easier for cybercriminals by allowing them to utilise computing resources of compromised systems to make the profit.
The Adylkuzz malware was also mining Monero by utilizing the enormous amount of computing resources of the compromised Windows systems.
The attackers behind SambaCry-based CPUminer attack have already earned 98 XMR, which worth 5,380 today and this figure is continuously rising with the increase in the number of compromised Linux systems.
“During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day,” the researchers say.
The newly uncovered remote code execution susceptibility (CVE-2017-7494) influences all variations newer than Samba 3. 5. 0 that was launched on March 1, 2010.
“All versions of Samba from 3. 5. 0 onwards are susceptible to a web-based code execution vulnerability, allowing a malicious client to publish a shared library to a writable share, and then cause the server to load and perform it, ” Samba had written in an advisory posted Wednesday.
According to the Shodan computer internet search engine, more than 485, 000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104, 000 internet-exposed endpoints seemed to be running vulnerable versions of Samba, out of which 92, 000 are working unsupported versions of Samba.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is “Linux version of EternalBlue, employed by the WannaCry ransomware…. or should I say SambaCry?
… or should I say SambaCry?
Keeping in mind the number of susceptible systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large level with workable capabilities.
Home networks with network-attached storage space (NAS) devices could also be vulnerable to this flaw.
Exploit Code Unveiled! (Bonus: Metasploit Module)
The flaws actually resided in the way Samba managed shared libraries. A web-affiliated attacker could use this Samba arbitrary module launching vulnerability to upload a shared library to a writable share and then cause the server to load and execute harmful code.
The vulnerability is hell easy to use. Just one line of code is required to execute malicious code on the damaged system.
simple. create_pipe(“/path/to/target. so”)
Nevertheless, the Samba exploit had been ported to Metasploit, a transmission testing framework, enabling experts as well as cyber criminals to exploit this defect easily.
The maintainers of Samba has already patched the issue in their new Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.