At the end of May, a seven-year-old remote code execution vulnerability affecting all versions of the Samba software since 3.5.0 was patched by the development team of the project. An attacker can exploit the CVE-2017-7494 RCE to upload a shared library to a writable share, and then cause the server to load and execute it.
SambaCry allows a remote hacker to take full control of a vulnerable Linux and Unix system.
The flaw, dubbed SambaCry, can be easily exploited, just a line of could be used for the hack under specific conditions:
When the above conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” reads the security advisory issued by Samba.
The announcement published by Samba informed users that a patch addressing this remote code execution vulnerability tracked as CVE-2017-7494 was available at the following URL:
http://www.samba.org/samba/security/
Sysadmins have to patch their versions as soon as possible, if it is not possible for any reason a workaround can be implemented by the adding the line
nt pipe support = no
to their Samba configuration file and restarting the network’s SMB daemon.
The change will limit clients from accessing some network computers.
“Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.”
The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.
When SambaCry was discovered, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet.
Security researcher speculated that a rapid increase in the number of cyber attacks leveraging the SambaCry issue, just like WannaCry attacks.
Researchers at Kaspersky Lab set up honeypots to detect SambaCry attacks in the wild. The experts have spotted a malware campaign that is exploiting SambaCry vulnerability to infect Linux systems and install a cryptocurrency miner.
“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!” reported Kaspersky.
The independent security researcher Omri Ben Bassat also observed the same campaign that he dubbed “EternalMiner.” The expert confirmed threat actors started exploiting the SambaCry flaw just a week after its discovery to hijack Linux PCs and to install an upgraded version of “CPUminer,” a Monero miner.
Cryptocurrency miner #EternalMiner using #SambaCry #CVE_2017_7494 to infect Linux servers. brand new sample @malwrhunterteam. pic.twitter.com/aXlEQKkdtq
— Omri Ben-Bassat (@beta_b0t) June 8, 2017
Once compromised a Linux Machine exploiting the SambaCry vulnerability, attackers execute two different payloads on the targeted systems:
“the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware” Kaspersky researchers say.
According to Kaspersky, threat actors behind this campaign have already earned 98 XMR, which worth USD 5,380 today. The experts believe that crooks could earn much more with the increase in the number of compromised Linux systems.
“The mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.,” the researchers say.