SambaCry Vulnerability: A vulnerability in Samba's facilities on Linux systems allows attacks on a huge crypto-currency mining business.
The actions of malicious users began about five days after the Samba development team announced the patch CVE-2017-7494, which fixes a vulnerability in all versions of Samba released by 2010.
Because the vulnerability is exploitable through the SMB protocol and because the issue resembled the vulnerability used by the SMB WannaCry ransomware, some researchers started to report the bug like SambaCry or EternalRed.
Σε τεχνικό επίπεδο, μια επιτυχημένη εκμετάλλευση του SambaCry επιτρέπει σε έναν εισβολέα να ανοίξει ένα "pipe" ή μια δίοδο στους διακομιστές του Samba, να ανεβάσει κακόβουλο κώδικα και να τον εκτελέσει. Ανάλογα με το επίπεδο δεξιοτήτων του εισβολέα, θα μπορούσε κανείς να επιτύχει πολύ εύκολα τον πλήρη έλεγχο του διακομιστή.
That's exactly what happened. Beginning with 30 May, hackers began to run massive scans looking for vulnerable Samba file sharing servers.
After discovering Samba facilities, the attackers began to load and run malicious code on their victims' machines.
The attack is done with two malicious archives: one is one remote shell with full root access, while the second is a modified version of the popular cryptocurrency mining application called cpuminer.
Experts from Kaspersky Labs who are following the attacks report that the crook or crooks behind this operation mined Monero crypto-coins using the Linux systems they managed to break.
Watching the attackers was easy because they coded the address of the Monero wallet into EternalMiner's source code. So far, researchers report that hackers have managed to extract 98 Monero, about 5.400 dollars at today's price.
According to Rapid7 security researchers, since the SambaCry issue became known on May 25, there were approximately 104.000 computers exposed to Internet that were using vulnerable versions of it software Samba. The number has decreased as many administrators have updated their systems, but there are still many vulnerable servers that allow file sharing.