Attention! Hackers began using the SambaCry vulnerability to hack Linux systems

Original author: Swati Khandelwal
  • Transfer


Remember SambaCry ?

Two weeks ago, we reported the discovery of a 7-year-old critical vulnerability in Samba network software (another implementation of the SMB network protocol). It provides the ability to remotely execute code and allows an attacker to take control of vulnerable Linux and Unix machines.

To learn more about the SambaCry Vulnerability (CVE-2017-7494), you can read our previous article .

At that time, it was discovered that there were about 485,000 Samba-enabled computers on the Internet with an open port of 445. Researchers predicted that attacks based on the SambaCry vulnerability could spread like WannaCry ransomware.

The prediction turned out to be pretty accurate. The bait computer, created by a team of researchers from Kaspersky Lab, picked up a virus that uses the SambaCry vulnerability to infect Linux computers — downloading instructions and a cryptominer.

Security specialist Omri Ben Bassat, independently of Kaspersky Lab, also detected this virus and named it EternalMiner.

According to researchers, an unknown group of hackers began hijacking Linux computers into the botnet just a week after the Samba vulnerability was publicly disclosed. Once on the victim’s computer, the virus installs an upgraded version of “CPUminer” - software for crypto mining of the digital currency “ Monero ”.

Using the SambaCry vulnerability, attackers perform two service workloads on vulnerable systems:

(349d84b3b176bbc9834230351ef3bc2a - Backdoor.Linux.Agent.an) INAebsGB.so is a reverse shell that provides remote access to attackers.

(2009af3fed2a4704c224694dfc4b31dc - Trojan-Downloader.Linux.EternalMiner.a) CblRWuoCc.so is a backdoor that includes utilities for starting the CPUminer.

According to researchers from Kaspersky Lab, through the reverse shell remaining in the system, attackers can change the configuration of an already running miner or infect the victim's computer with other types of malware.


INAebsGB.so



Core Functionality cblRWuoCc.so

Cryptocurrency mining can be a costly investment, as it requires tremendous computing power. Such malware simplifies this process for cybercriminals, allowing them to use the computing resources of infected systems to make a profit.

You may recall an article about Adylkuzz , a miner virus that exploited the SMB vulnerability in Windows systems at least two weeks before the start of the WanaCry attack.

The malicious program Adylkuzz also mined Monero, using a huge amount of computing resources of hacked Windows machines.


Hackers account as of 06/08/2017

The organizers of the mining botnet based on SambaCry have already earned 98 XMRs, which today cost $ 5,380. This number is constantly growing with the increasing number of infected Linux systems.

“On the first day, they received about 1 XMR (about $ 55 at the exchange rate on 06/10/2017), but over the past week, income has grown to 5 XMR per day,” the researchers say.


Transaction log with all the proceeds of the attackers

Samba developers have already fixed the problem in new versions of Samba 4.6.4 / 4.5.10 / 4.4.14 and urge those who use the vulnerable version of Samba to install the patch as soon as possible.

PS Other interesting articles from our blog:

How to pass a law or data processing in distributed systems in a clear language
TOP 100 English-language websites about IT
Load balancing in the Clouds
Best toys for future techies from our childhood (USSR and USA)

Also popular now: