Unknown attackers are using a recently patched vulnerability in Samba to spread a resource-intensive cryptocurrency mining utility. To date, the operation has netted the attackers just under $6,000 USD, but the number of compromised computers is growing, meaning that a significant number of Samba deployments on *NIX servers remain unpatched.
The attack also demonstrates that the vulnerability in Samba, CVE-2017-7494, can extend EternalBlue-like attacks into Linux and UNIX environments. Samba is a software package that runs on Linux and UNIX servers and sets up file and print services over the SMB networking protocol, integrating those services into a Windows environment.
The Samba vulnerability is similar to the SMB bug exploited on May 12 by attackers using the NSAs EternalBlue exploit to spread WannaCry ransomware. Experts warned that EternalBlue can be fitted with any measure of attack, and they have a similar message about this flaw, which has been nicknamed SambaCry.
Researchers at Kaspersky Lab said that one of their honeypots snagged on May 30 some of the first exploits targeting the Samba vulnerability. The payload was a two-headed threat: a Linux backdoor and a mining utility called Cpuminer that is leveraging the processing power of its victims to create Monero cryptocurrency.
The attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers, Kaspersky Lab said in a report published on Securelist.com.
The researchers said the attackers Monero wallet and pool address are hardcoded in the attack.
According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th, Kaspersky Lab said. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.
As of Friday, the attackers had mined about $6,000 USD, and Kaspersky Lab said it was unsure about the scale of the attack. Upon disclosure of the Samba vulnerability almost three weeks ago, Rapid7 said an internet scan using its ProjectSonarsoftware found more than 104,000 endpoints running vulnerable versions of Samba over port 445, the SMB port. More than 92,000 are running versions of Samba that have no patches available. The vulnerability was introduced into Samba in 2010 in version 3.5.0; admins should upgrade to patched versions: 4.6.4, 4.5.10 and 4.4.14.
Kaspersky Lab said the exploit is assembled as a Samba plugin, below. After running a checka file containing random symbolsto see whether the server has write permissions for the network, the attack must then brute-force the full path to dropped file. The most obvious paths are laid out in Samba instruction manuals, Kaspersky Lab said. Once it finds the path, the exploit is loaded and executed in the context of the Samba server process using the vulnerability; it runs only in virtual memory.
Kaspersky Lab said the attacks captured by its honeypot contained two files, a Linux backdoor and the miner. INAebsGB.soandcblRWuoCc.so respectively. INAebsGB.sois a reverse shell that connects to the port of the IP address specified by the owner giving it remote access to the shell.
As a result, the attackers have an ability to execute remotely any shell-commands. They can literally do anything they want, from downloading and running any programs from the Internet, to deleting all the data from the victims computer, Kaspersky Lab said, adding that this is similar to the SambaCry exploit in Metasploit.
The other file, cblRWuoCc.so, downloads and executes Cpuminer from a domain registered on April 29.
Coincidentally, another set of attackers used EternalBlue to spread a cryptocurrency miner called Adylkuzz for Monero on Windows machines. Monero is marketed as a privacy conscious cryptocurrency, and goes to great lengths to obfuscate its blockchain making it a challenge to trace any activity.
The Adylkuzz attacks pre-date WannaCry with the first samples going back to April 24, researchers at Proofpoint said. More than 20 virtual private servers were scanning the internet for targets running port 445 exposed, the same port used by SMB traffic when connected to the internet, and the same port abused by EternalBlue and DoublePulsar.
Read more:
Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability - Threatpost
- Crypto()Currency - CryptoCurrency.org - April 26th, 2014 [April 26th, 2014]
- Cryptocurrency - Wikipedia, the free encyclopedia - April 26th, 2014 [April 26th, 2014]
- TNW - Stefan Molyneux - Money, Power and Politics The Cryptocurrency Revolution - Video - April 26th, 2014 [April 26th, 2014]
- How to Set Up a Ripple (CryptoCurrency) Generating System! - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin / Cryptocurrency - An Extensive FAQ - Video - April 26th, 2014 [April 26th, 2014]
- --- The Great Debate --- Bitcoin vs Altcoin @ The CryptoCurrency Convention 4/9/14 - - Video - April 26th, 2014 [April 26th, 2014]
- Bryce Weiner @ CryptoCurrency Convention 4/9/14 - - Video - April 26th, 2014 [April 26th, 2014]
- Popularcoin @ CryptoCurrency Convention 4/9/14 - Joshua Nold - Video - April 26th, 2014 [April 26th, 2014]
- TimeKoin @ CryptoCurrency Convention 4/9/14 - Michael Brown - Video - April 26th, 2014 [April 26th, 2014]
- Infinitecoin @ CryptoCurrency Convention 4/9/14 - Loring Small - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin Exchange CryptoRush Loses Millions of BlackCoin Cryptocurrency - Video - April 26th, 2014 [April 26th, 2014]
- Brock Pierce, Entrepreneur "FireSide Chat" @ CryptoCurrency Convention NYC - 4/9/14 - Video - April 26th, 2014 [April 26th, 2014]
- [OFFICIAL SPONSOR] Nick Spanos, Bitcoin Center NYC @ CryptoCurrency Convention 4/9/14 - Video - April 26th, 2014 [April 26th, 2014]
- AuroraCoin @ CryptoCurrency Convention NYC 4/9/14 - David Lio - Video - April 26th, 2014 [April 26th, 2014]
- Dogecoin Founder Speaks on the Future of Cryptocurrency - April 27th, 2014 [April 27th, 2014]
- As Bitcoin Soars in Value, Alternative Cryptocurrencies ... - April 27th, 2014 [April 27th, 2014]
- Florincoin @ CryptoCurrency Convention NYC 4/9/14 - Joe Fiscella - Video - April 27th, 2014 [April 27th, 2014]
- DigiByte @ CryptoCurrency Convention NYC 4/9/14 - Jared Tate - Video - April 27th, 2014 [April 27th, 2014]
- Digitalcoin @ CryptoCurrency Convention NYC 4/9/14 - Andrew Davidson - Video - April 27th, 2014 [April 27th, 2014]
- PotCoin @ CryptoCurrency Convention NYC 4/9/14 - Nick Iversen - Video - April 27th, 2014 [April 27th, 2014]
- ZenithCoin @ CryptoCurrency Convention NYC 4/9/14 - Eddie Corral - Video - April 27th, 2014 [April 27th, 2014]
- BitAngels Co-Founder, David Johnson @ CryptoCurrency Convention NYC 4/9/14 - Video - April 27th, 2014 [April 27th, 2014]
- Australian dogecoin founder speaks on the future of cryptocurrency - April 28th, 2014 [April 28th, 2014]
- Coinnext Cryptocurrency Exchange Coming Soon - Video - April 29th, 2014 [April 29th, 2014]
- Cryptocurrency News Round-Up: MtGox Hearing Begins as Bitcoin gets Bloomberg Endorsement - May 1st, 2014 [May 1st, 2014]
- mTrader.org - Cryptocurrency Mining System - Video - May 1st, 2014 [May 1st, 2014]
- CryptoCurrency - cryptobars commodity Launch! - Video - May 1st, 2014 [May 1st, 2014]
- The Mises View: "Taxing Cryptocurrency" | Jeff Deist - Video - May 2nd, 2014 [May 2nd, 2014]
- Coin Pursuit Launches SliceFeeds Interactive Cryptocurrency Network - May 3rd, 2014 [May 3rd, 2014]
- Cryptocurrency | Ground Zero with Clyde Lewis - May 3rd, 2014 [May 3rd, 2014]
- CS 171 Final Project: Cryptocurrency Visualizations - Video - May 3rd, 2014 [May 3rd, 2014]
- Cryptocurrency Explained The Tech Guy 1046 - Video - May 3rd, 2014 [May 3rd, 2014]
- Know How 74 Cryptocurrency - Video - May 4th, 2014 [May 4th, 2014]
- MIT undergrads will each receive $100 in bitcoin - May 5th, 2014 [May 5th, 2014]
- cryptocurrency - Fortune Finance: Hedge Funds, Markets ... - May 8th, 2014 [May 8th, 2014]
- Bitcoin wins US election panel's approval for political donations - May 9th, 2014 [May 9th, 2014]
- CryptoCurrency of the World Unite! - Video - May 9th, 2014 [May 9th, 2014]
- Major Dogecoin Wallet Hacked, Shut Down - May 13th, 2014 [May 13th, 2014]
- Such hack, much sad: Doge Vault reportedly loses $56,000 in heist - May 13th, 2014 [May 13th, 2014]
- BBT Presents: Ode to Cryptocurrency - Video - May 13th, 2014 [May 13th, 2014]
- Scryptify Cryptocurrency Video - Crypto Currency Exchanges - Video - May 13th, 2014 [May 13th, 2014]
- AMD cuts Radeon R9 280 price as inflation woes die down - May 15th, 2014 [May 15th, 2014]
- The Cryptocurrency Certification Consortium - Video - May 15th, 2014 [May 15th, 2014]
- Bitpagar Cryptocurrency - Video - May 16th, 2014 [May 16th, 2014]
- TagPro - Cryptocurrency Juke Session w/ LTB & Counterpary - Video - May 16th, 2014 [May 16th, 2014]
- How to Mine Cryptocurrency Safely - Video - May 16th, 2014 [May 16th, 2014]
- Bunnycoin - Innovative New Cryptocurrency - Video - May 16th, 2014 [May 16th, 2014]
- Jan Irvin on Learning, Statism, Culture, Cryptocurrency and Voluntarism -- Potent News Podcast #1 - Video - May 16th, 2014 [May 16th, 2014]
- Nxt cryptocurrency platform: Proof of Stake mining system - Video - May 18th, 2014 [May 18th, 2014]
- Cryptocurrency Round-Up: Darkcoin Rise Continues; Dogecoin Saved My Life & Bitcoin Explainer Videos - May 19th, 2014 [May 19th, 2014]
- Givecoin.info Announces Partnership with Do A Bit of Good: World's First Charitable Mining Screensaver - May 21st, 2014 [May 21st, 2014]
- Cryptocurrency: Get Mining! - Video - May 22nd, 2014 [May 22nd, 2014]
- Violincoin - The first cryptocurrency for musician - - Video - May 22nd, 2014 [May 22nd, 2014]
- Trollcoin - The Fun Cryptocurrency! - Video - May 22nd, 2014 [May 22nd, 2014]
- Cryptocurrency and Nonprofits with Eric Nakagawa - Video - May 23rd, 2014 [May 23rd, 2014]
- The Cryptocurrency Store - Video - May 23rd, 2014 [May 23rd, 2014]
- The Cryptocurrency Store (Spanish/Espagnol) - Video - May 23rd, 2014 [May 23rd, 2014]
- How To Trade CryptoCurrency: Sign up to a safe and reliable exchange for trading CryptoCurrency - Video - May 23rd, 2014 [May 23rd, 2014]
- UT students to launch cryptocurrency exchange - May 24th, 2014 [May 24th, 2014]
- Videoconferencia Cryptocurrency 201243946 - Video - May 27th, 2014 [May 27th, 2014]
- VideoCharla Jesus Ramos Cryptocurrency - Video - May 27th, 2014 [May 27th, 2014]
- Cryptocurrency Round-Up: Bitcoin Pioneer Dies and Digital Currency's Status in Australia - August 31st, 2014 [August 31st, 2014]
- Bitcoin enthusiasts discuss the cryptocurrency - Video - August 31st, 2014 [August 31st, 2014]
- Make Fast 1.0 up to 10.00 BTC or Any Cryptocurrency REAL CASH - Video - August 31st, 2014 [August 31st, 2014]
- Halcyon cryptocurrency - Video - August 31st, 2014 [August 31st, 2014]
- Selling products / services / fiat money for cryptocurrency - Coinkite PoS Terminal - Video - August 31st, 2014 [August 31st, 2014]
- Selling cryptocurrency to customers - Coinkite PoS Terminal - Video - August 31st, 2014 [August 31st, 2014]
- Cryptocurrency Made Simple - A Plain English Guide to Bitcoins - September 8th, 2014 [September 8th, 2014]
- PotatoCoin - The cryptocurrency for the third world - Video - September 8th, 2014 [September 8th, 2014]
- How To Trade One Kind Of Cryptocurrency For A Different Kind Of Cryptocurrency - Video - September 8th, 2014 [September 8th, 2014]
- How To Fund Your Bleutrade Cryptocurrency Trading Account - Video - September 8th, 2014 [September 8th, 2014]
- How To Open An Account At Bleutrade.com Cryptocurrency Exchange - Video - September 8th, 2014 [September 8th, 2014]
- Cryptocurrency Round-Up: Apple Pay Boosts Bitcoin, Nakamoto Negotiates With Hacker - September 11th, 2014 [September 11th, 2014]
- Qoinpro Cryptocurrency Faucet ok - Video - September 12th, 2014 [September 12th, 2014]
- Weekly Roundup - CEX.IO - Multi-Functional cryptocurrency exchange - Video - September 12th, 2014 [September 12th, 2014]
- TCR #27: Cryptocurrency growth, 9/11 Anniversary, CDC Scandal, Face Your Fears - Video - September 12th, 2014 [September 12th, 2014]
- VanosEnigmA 011 Bitcoin-Comedy BitcoinDog CryptoCurrency-Cat Naughty - Video - September 15th, 2014 [September 15th, 2014]
- WikiLeaks Avoided Bitcoin to Prevent Government 'Destroying' Cryptocurrency - September 16th, 2014 [September 16th, 2014]
- LXC Coin crowdfunds in challenge to Bitcoin - September 16th, 2014 [September 16th, 2014]
- Why Bitcoin Is Poised To Win Big In Las Vegas - September 19th, 2014 [September 19th, 2014]