June 14, 2017 By Mark Samuels 2 min read

Fraudsters have exploited a patched vulnerability to push a cryptocurrency miner to Linux machines and generate electronic cash. The attacks, detailed by researchers at security firms Kaspersky Lab and Cyphort, take advantage of a vulnerability in installations of the interoperability tool Samba. This news comes just days after the Samba team announced it had patched earlier versions of the software.

The vulnerability also comes in the wake of the recent WannaCry ransomware. SecurityWeek explained that, like its counterpart, the cryptocurrency miner — which some researchers have referred to as SambaCry — presents a significant risk to users and businesses.

Exploiting Samba

Samba, which runs on Linux and UNIX servers, is a tool that sets up filing and printing services over the SMB network protocol, integrating those services into a Windows environment. Attackers looking to run the cryptocurrency miner use a flaw in Samba to install a malicious plugin that allows super-user privileges.

Kaspersky warned users that the Samba vulnerability is like the bug that cybercriminals exploited during the recent outbreak of WannaCry ransomware. The first delivered file is a backdoor that provides a reverse shell, allowing attackers to remotely execute commands.

Threat actors then install a cryptocurrency miner to collect cash in the form of Monero, which is an alternative to bitcoin. Profits are sent to a wallet with a hardcoded address.

More Than Just a Cryptocurrency Miner

Kaspersky said the attackers received their first cryptocoins on April 30, when they gained about 1 XMR (about $55). After a month of mining, the attackers had gained 98 XMR, which means they had earned about $5,500.

Although the numbers are relatively small, the increase in profit suggested the botnet of devices mining on behalf of the attackers is growing at a significant rate. More troublesome, Kaspersky researchers said they do not yet have any information about the scale of the attack.

IT decision-makers should note that affected machines can act as more than a cryptocurrency miner. Cybercriminals can leverage the reverse shell left in the system to change the configuration of the existing miner, or they can infect the victim’s computer with other malware.

How to Respond

Security firm Rapid7 noted that many domestic and corporate storage systems run Samba. The tool is often installed by default on Linux systems, meaning companies could be running Samba without even knowing it. Its recent scan discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba.

Kaspersky explained that news of the vulnerability is another reminder about the importance of strong security policies. Researchers urged system administrators and ordinary Linux users to update their Samba software to the latest patched version, which was released at the end of May.

IT decision-makers should also note that SambaCry is not the only malware being used to run a cryptocurrency miner. Experts recently uncovered a new variant of the Mirai malware that has a built-in bitcoin mining component. All stakeholders, including businesses and IT suppliers, must work together to ensure devices are patched and secure in the connected age.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today