An unknown threat actor is using a vulnerability in Samba installations to take over Linux machines and use them as pawns in a vast cryptocurrency mining operation.
According to public data, their actions started about five days after the Samba team announced they patched CVE-2017-7494, a vulnerability in all Samba versions released since 2010.
Because the vulnerability is exploitable via the SMB protocol, and because the issue came to light so close to the WannaCry ransomware outbreak, some researchers started referring to the bug as SambaCry or EternalRed.
Attacks started on May 30
At the technical level, a successful SambaCry exploit would allow an attacker to open a "pipe" on Samba servers, upload malicious code, and have it executed. Depending on the attacker's skill level, one could very easily achieve full server takeover.
This is exactly what happened. Starting around May 30, one such threat group has carried out mass scans that were looking for vulnerable Samba file sharing servers.
After finding exposed Samba installations, the attacker tested his ability to upload and execute code by loading eight files on a user's machine.
If he was successful, he then uploaded two malicious files. The first was a remote shell with full root access, while the second was a modified version of a popular cryptocurrency mining tool called cpuminer.
The attacker uses the remote shell to install the modified cpuminer, which some researchers have started calling EternalMiner.
Cryptocurrency miner #EternalMiner using #SambaCry #CVE_2017_7494 to infect Linux servers. brand new sample @malwrhunterteam. pic.twitter.com/aXlEQKkdtq
— Omri Ben Bassat (@omri9741) June 8, 2017
Attackers made at least $5,400 in Monero
Experts from Kaspersky Labs have been on top of these attacks since the get-go. They say the crook behind this operation has been mining for the Monero cryptocurrency using the Linux machines he managed to take over.
Keeping track of the attacker was easy because he hard-coded his Monero wallet address inside EternalMiner's source code. At the time of writing, researchers said the attacker made 98 Monero, which is around $5,400 at today's price.
According to security researchers from Rapid7, at the time when the SambaCry vulnerability became public, on May 25, there were around 104,000 Internet-exposed machines that appeared to be running vulnerable versions of Samba software. The number went down as many admins patched their systems, but many vulnerable file sharing servers remained online.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.