Two weeks ago we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software (re-implementation of SMB networking protocol) that allows a remote hacker to take full control of a vulnerable Linux and Unix machines.
To know more about the SambaCry vulnerability (CVE-2017-7494) and how it works, you can read our previous article.
At that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like WannaCry ransomware widely.
The prediction came out to be quite accurate, as honeypots set up by the team of researchers from Kaspersky Lab have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software.
Another security researcher, Omri Ben Bassat, independently discovered the same campaign and named it “EternalMiner.”
According to the researchers, an unknown group of hackers has started hijacking Linux PCs just a week after the Samba flaw was disclosed publicly and installing an upgraded version of “CPUminer,” a cryptocurrency mining software that mines “Monero” digital currency.
After compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems:
- INAebsGB.so — A reverse-shell that provides remote access to the attackers.
- cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.
“Through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware,” Kaspersky researchers say.
Mining cryptocurrencies can be a costly investment as it requires an enormous amount of computing power, but such cryptocurrency-mining malware makes it easier for cybercriminals by allowing them to utilise computing resources of compromised systems to make the profit.
If you have been following The Hacker News regularly, you must be aware of Adylkuzz, a cryptocurrency-mining malware that was using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.
The Adylkuzz malware was also mining Monero by utilizing the enormous amount of computing resources of the compromised Windows systems.
The attackers behind SambaCry-based CPUminer attack have already earned 98 XMR, which worth 5,380 today and this figure is continuously rising with the increase in the number of compromised Linux systems.
“During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day,” the researchers say.
The maintainers of Samba has already patched the issue in their new Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.