MUST READ

EY Exposes 4TB SQL Server Backup Publicly on Microsoft Azure

 | 

Suspected Chinese actors compromise U.S. Telecom firm Ribbon Communications

 | 

U.S. CISA adds XWiki Platform, and Broadcom VMware Aria Operations and VMware Tools flaws to its Known Exploited Vulnerabilities catalog

 | 

Brush exploit can cause any Chromium browser to collapse in 15-60 seconds

 | 

Ex-Defense contractor exec pleads guilty to selling cyber exploits to Russia

 | 

Dentsu’s US subsidiary Merkle hit by cyberattack, staff and client data exposed

 | 

Hacktivists breach Canada’s critical infrastructure, cyber Agency warns

 | 

Russian hackers, likely linked to Sandworm, exploit legitimate tools against Ukrainian targets

 | 

U.S. CISA adds Dassault Systèmes DELMIA Apriso flaws to its Known Exploited Vulnerabilities catalog

 | 

Herodotus Android malware mimics human typing to evade detection

 | 

Aisuru botnet is behind record 20Tb/sec DDoS attacks

 | 

Everest group claimed the hack of Sweden’s power grid operator Svenska kraftnät

 | 

Critical ASP.NET flaw hits QNAP NetBak PC Agent

 | 

Ransomware payments hit record low: only 23% Pay in Q3 2025

 | 

X warns users to re-enroll passkeys and YubiKeys for 2FA by Nov 10

 | 

Memento Labs, the ghost of Hacking Team, has returned — or maybe it was never gone at all.

 | 

Crafted URLs can trick OpenAI Atlas into running dangerous commands

 | 

Linux variant of Qilin Ransomware targets Windows via remote management tools and BYOVD

 | 

Wordfence blocks 8.7M attacks exploiting old GutenKit and Hunk Companion flaws

 | 

Safepay ransomware group claims the hack of professional video surveillance provider Xortec

 | 

SambaCry is reality, crooks are abusing CVE-2017-7494 to spread miners

Pierluigi Paganini June 10, 2017

Security experts from Kaspersky confirmed that threat actors in the wild are exploiting the SambaCry vulnerability CVE-2017-7494 to spread a miner.

At the end of May, a seven-year-old remote code execution vulnerability affecting all versions of the Samba software since 3.5.0 was patched by the development team of the project. An attacker can exploit the CVE-2017-7494 RCE to upload a shared library to a writable share, and then cause the server to load and execute it.

SambaCry allows a remote hacker to take full control of a vulnerable Linux and Unix system.

The flaw, dubbed SambaCry, can be easily exploited, just a line of could be used for the hack under specific conditions:

  • make file- and printer-sharing port 445 reachable on the Internet,
  • configure shared files to have write privileges.
  • use known or guessable server paths for those files.

When the above conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” reads the security advisory issued by Samba.

The announcement published by Samba informed users that a patch addressing this remote code execution vulnerability tracked as CVE-2017-7494 was available at the following URL:

http://www.samba.org/samba/security/

Sysadmins have to patch their versions as soon as possible, if it is not possible for any reason a workaround can be implemented by the adding the line

nt pipe support = no

to their Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

“Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.”

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.

When SambaCry was discovered, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet.

Security researcher speculated that a rapid increase in the number of cyber attacks leveraging the SambaCry issue, just like WannaCry attacks.

sambacry

Researchers at Kaspersky Lab set up honeypots to detect SambaCry attacks in the wild. The experts have spotted a malware campaign that is exploiting SambaCry vulnerability to infect Linux systems and install a cryptocurrency miner.

“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!” reported Kaspersky.

The independent security researcher Omri Ben Bassat‏ also observed the same campaign that he dubbed “EternalMiner.” The expert confirmed threat actors started exploiting the SambaCry flaw just a week after its discovery to hijack Linux PCs and to install an upgraded version of “CPUminer,” a Monero miner.

Once compromised a Linux Machine exploiting the SambaCry vulnerability, attackers execute two different payloads on the targeted systems:

  • INAebsGB.so — A simple reverse shell that allows a remote attacker to access the target system.
  • cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.

“the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware” Kaspersky researchers say.

According to Kaspersky, threat actors behind this campaign have already earned 98 XMR, which worth USD 5,380 today. The experts believe that crooks could earn much more with the increase in the number of compromised Linux systems.

“The mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.,” the researchers say.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-7494, SambaCry)

[adrotate banner=”13″]

CVE-2017-7494 Hacking RCE Remote Code Execution Vulnerability SambaCry

you might also like

Pierluigi Paganini October 31, 2025
EY Exposes 4TB SQL Server Backup Publicly on Microsoft Azure
Read more
Pierluigi Paganini October 31, 2025
Suspected Chinese actors compromise U.S. Telecom firm Ribbon Communications
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

EY Exposes 4TB SQL Server Backup Publicly on Microsoft Azure

Data Breach / October 31, 2025

Suspected Chinese actors compromise U.S. Telecom firm Ribbon Communications

Intelligence / October 31, 2025

U.S. CISA adds XWiki Platform, and Broadcom VMware Aria Operations and VMware Tools flaws to its Known Exploited Vulnerabilities catalog

Hacking / October 30, 2025

Brush exploit can cause any Chromium browser to collapse in 15-60 seconds

Hacking / October 30, 2025

Ex-Defense contractor exec pleads guilty to selling cyber exploits to Russia

Security / October 30, 2025