Cyber criminals take advantage of SambaCry to mine Monero using compromised Linux systems

Windows is not the only OS having vulnerabilities, for sure. Linux has its own vulnerability affecting a package called Samba (open-source networking software) too. It allows experienced hackers to take the full control of vulnerable machines. The vulnerability dubbed CVE-2017-7494 is related to all the versions of Samba, starting from the version 3.5.0, which was first released in 2010, which means that we are talking here about a 7-year-old critical remote code execution vulnerability. Despite the fact that it has existed for so many years, the first attackers’ attempt to make use of this particular vulnerability was spotted on the 30th of May, 2017 only. Mass scans to find vulnerable Samba file sharing servers took place at that time. Due to the fact that shocking news broke around the same time the WannaCry ransomware infiltrated thousands of computers and the vulnerability in question is also exploitable via the SMB protocol, researchers started referring to it as SambaCry or EternalRed. It should be noted that the bug has nothing to do with EternalBlue, one of the exploits the prevalent WannaCry ransomware used. Unlike EternalBlue, SambaCry (or EternalRed) takes advantage of a shared library load. Additionally, they cannot be compared to each other because WannaCry is a pure crypto-threat (ransomware) while SambaCry is a vulnerability, as has already been mentioned.

It is no longer a secret how a vulnerability in Samba is exploited. Attackers begin the SambaCry vulnerability exploitation by analyzing whether they have necessary permissions to write to network drives. They do this by trying to write a text file which consists of 8 random symbols (might include both numbers and letters). If the test is successful, the uploaded .txt file is immediately removed in order not to leave any traces. From this moment, it exists in the virtual memory only. It is the time for the payload after performing this activity. If everything goes smoothly, attackers manage to gain super-user privileges. That is, they get full root access and, as a consequence, can download and upload files of their choice on all affected machines freely. Further analysis has revealed that cyber criminals upload and execute two malicious files on compromised systems: INAebsGB.so (MD5: 349d84b3b176bbc9834230351ef3bc2a) and cblRWuoCc.so (MD5: 2009af3fed2a4704c224694dfc4b31dc).

The first file entitled INAebsGB.so contains the reverse-shell. It connects to the certain port of the Internet Protocol (IP) address and grants remote access to the shell. Consequently, attackers can access victim’s computers and perform whatever activities they want on them, for instance, download and run any programs, delete data, spy on victims, etc.

The second file cblRWuoCc.so attackers upload on affected systems is responsible for downloading and executing a popular open-source cryptocurrency mining utility CPUminer (also known as EternalMiner). Research has revealed that it is downloaded from the domain registered on the 29th of April, 2017 and then immediately activated to mine the cryptocurrency to the wallet belonging to attackers. Mining cryptocurrency requires an enormous power. Because of this, such malicious applications as CPUminer are developed. They make it easier for cyber criminals to perform this activity and get a higher profit by utilizing compromised systems’ resources. Without a doubt, the desire to earn extra money is one of the main, if not the main one, reasons why SambaCry is used by cyber crooks.

According to specialists from Kaspersky Lab, cyber crooks behind this campaign use CPUminer to mine Monero (a cryptocurrency focusing on privacy) using Linux machines they manage to take over. At present, they already have 98 Monero, which is roughly $5400 at today’s price. Keeping track of attackers was not a hard job because there is their private Monero wallet address hardcoded in the cryptocurrency miner’s source code. Unfortunately, it is not very likely that they are going to stop, so the profit they make using victims’ computers resources will surely grow with the increasing number of compromised Linux systems.

At the time the SambaCry vulnerability became public, i.e. at the end of May, 2017, there were around 485 000 machines with vulnerable versions of Samba software running out there. Fortunately, patches addressing this remote code execution vulnerability (CVE-2017-7494) for Samba versions 4.6.4, 4.5.10, and 4.4.14 have already been released. Patches for older versions are also available. Those users with vulnerable versions of Samba must install the patch as soon as possible (it can be downloaded from the official Samba’s website http://www.samba.org/samba/security/), security specialists say. If it is impossible to do that for any reason, a line nt pipe support = no has to be added to the [global] section of the Samba configuration file (smb.conf). Then, smbd has to be restarted. It should be emphasized that these changes might make it impossible to access some network computers.

The exact number of affected machines already mining Monero for cyber criminals is unknown, so all Linux users should go to update their Samba software to the latest version in order to avoid serious problems.