Attackers Leverage SambaCry Flaw to Run Cryptocurrency Miner

June 14, 2017 @ 12:11 PM
| |
2 min read

Fraudsters have exploited a patched vulnerability to push a cryptocurrency miner to Linux machines and generate electronic cash. The attacks, detailed by researchers at security firms Kaspersky Lab and Cyphort, take advantage of a vulnerability in installations of the interoperability tool Samba. This news comes just days after the Samba team announced it had patched earlier versions of the software.

The vulnerability also comes in the wake of the recent WannaCry ransomware. SecurityWeek explained that, like its counterpart, the cryptocurrency miner — which some researchers have referred to as SambaCry — presents a significant risk to users and businesses.

Exploiting Samba

Samba, which runs on Linux and UNIX servers, is a tool that sets up filing and printing services over the SMB network protocol, integrating those services into a Windows environment. Attackers looking to run the cryptocurrency miner use a flaw in Samba to install a malicious plugin that allows super-user privileges.

Kaspersky warned users that the Samba vulnerability is like the bug that cybercriminals exploited during the recent outbreak of WannaCry ransomware. The first delivered file is a backdoor that provides a reverse shell, allowing attackers to remotely execute commands.

Threat actors then install a cryptocurrency miner to collect cash in the form of Monero, which is an alternative to bitcoin. Profits are sent to a wallet with a hardcoded address.

More Than Just a Cryptocurrency Miner

Kaspersky said the attackers received their first cryptocoins on April 30, when they gained about 1 XMR (about $55). After a month of mining, the attackers had gained 98 XMR, which means they had earned about $5,500.

Although the numbers are relatively small, the increase in profit suggested the botnet of devices mining on behalf of the attackers is growing at a significant rate. More troublesome, Kaspersky researchers said they do not yet have any information about the scale of the attack.

IT decision-makers should note that affected machines can act as more than a cryptocurrency miner. Cybercriminals can leverage the reverse shell left in the system to change the configuration of the existing miner, or they can infect the victim’s computer with other malware.

How to Respond

Security firm Rapid7 noted that many domestic and corporate storage systems run Samba. The tool is often installed by default on Linux systems, meaning companies could be running Samba without even knowing it. Its recent scan discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba.

Kaspersky explained that news of the vulnerability is another reminder about the importance of strong security policies. Researchers urged system administrators and ordinary Linux users to update their Samba software to the latest patched version, which was released at the end of May.

IT decision-makers should also note that SambaCry is not the only malware being used to run a cryptocurrency miner. Experts recently uncovered a new variant of the Mirai malware that has a built-in bitcoin mining component. All stakeholders, including businesses and IT suppliers, must work together to ensure devices are patched and secure in the connected age.

Mark Samuels
Tech Journalist

Mark Samuels is an experienced business technology journalist with an outstanding track record in research. He specializes in the role of chief information o...
read more