SambaCry Vulnerability: A vulnerability in Samba's facilities on Linux systems allows attacks on a huge crypto-currency mining business.
The actions of malicious users began about five days after the Samba development team announced the patch CVE-2017-7494, which fixes a vulnerability in all versions of Samba released by 2010.
Because the vulnerability is exploitable through the SMB protocol and because the issue resembled the vulnerability used by the SMB WannaCry ransomware, some researchers started reporting the bug as SambaCry or EternalRed.
On a technical level, a successful SambaCry exploit allows an intruder to open a "pipe" or a path to Samba's servers, upload malicious code and execute it. Depending on the skill level of the attacker, one could easily gain complete control of the server.
That's exactly what happened. Beginning with 30 May, hackers began to run massive scans looking for vulnerable Samba file sharing servers.
After discovering Samba installations, attackers began loading and running malicious code on machineeyes of their victims.
Attack is done with two malicious files: one is a remote shell with full root access, and the other one is a modified version of the popular crypto-currency mining application called cpuminer.
Experts from Kaspersky Labs who are following the attacks report that the crook or crooks behind this operation mined Monero crypto-coins using the Linux systems they managed to break.
Tracking the attackers was easy because they encrypted the Monero address wallet inside the EternalMiner source code. So far the researchers report that the hackers have managed to mine 98 Monero, about $5.400 at today's price.
According to security researchers Rapid7, by the time the SambaCry issue became known, on May 25 there were approximately 104.000 computers exposed to the Internet using vulnerable versions of the Samba software. The number has decreased as many administrators have updated their systems, but there are still many vulnerable servers that allow file sharing.