Hackers start using SambaCry to attack Linux computers

Previously, a vulnerability implemented a 7-year-old remote code in the Samba software system (implemented via the SMB network protocol) and allowed hackers full control of remote Linux and Unix computers to be notified . For more details on this vulnerability (CVE-2017-7497) and how it works, read this article.

At that time, nearly 485,000 computers of Samba use were potentially infectious on the Internet and researchers predicted that the SambaCry attack was as widespread as ransomware WannaCry had done before.

This prediction is quite accurate when a honeypot (temporarily translating honey traps, a system of false information resources to deceive and prevent real system contact) has been discovered by a research group at Kaspersky Lab. The malware campaign exploits the SambaCry vulnerability to infect Linux computers with the cryptocurrency system (encryption system for data conversion). Another network security researcher, Omri Ben Bassat, also independently researched and discovered a similar campaign called EternalMiner.

According to researchers, the unknown hacker group began attacking Linux computers just a week after the Samba vulnerability was released to the public and installed an update of CPUminer, a digging software. Monero cryptocurrency to dig digital monero money (XMR).

After infiltrating the computer with the SambaCry vulnerability, the attacker will execute two payloads on the victim's computer:

1. INAebsGB.so - a reverse shell that provides remote control for an attacker.
2. cblRWuoCc.so - a back door that includes the cryptocurrency CPUminer digging tool.

"Although the reverse code is still in the system, an attacker can change the configuration of running digging tools or affect the victim machine with other types of malware," Kaspersky researchers said. . Digging with cryptocurrency can be expensive because it requires a large amount of computational resources, but this type of malware is easier than cybercrime because it allows the use of hacked resources to make a profit.

You may also know Adylkuzz, the miner malware uses the SMB vulnerability on Windows at least 2 weeks before the WannaCry attack. Malware Adylkuzz also dug Monero using a large computing resource on a compromised Windows machine.

Hackers start using SambaCry to attack Linux computers Picture 1
Attacked machines will consume a lot of computing resources

The attackers behind SambaCry CPUminer have earned 98 XMR, which is today equivalent to $ 5380 and this number will increase as the number of infected Linux machines increases. "On the first day, they earned about 1 XMR (equivalent to $ 55 at the exchange rate on June 8, 2017), but last week, they earned 5 XMR a day," the researchers said.

Samba has patched in new versions 4.6.4 / 4.5.10 / 4.4.14 and recommends that people who use unsafe Samba versions should patch as soon as possible.