Multiple exploitation attempts using the recently disclosed Samba vulnerability CVE-2017-7494 are looking to spread bitcoin miners—likely as part of an organized cybercrime ring.
Cyphort Labs said in an analysis that the exploit incorporates advanced functionality that was barely released in the Metasploit framework a week ago, which reinforces the notion that cyber-criminals “have a pulse on recent developments and are quick to integrate newly disclosed information in their arsenal of weapons.”
The vulnerability requires that the attacker has access to valid credentials or that the share is writable by guests. In the Samba share that Cyphort researchers investigated, the attacker first identified available network shares, identified a local path to that share and then uploaded malware. Once the exploit was triggered, it could be used to execute remote code. The final payload is a bitcoin miner; and, the infection contains a placeholder for a future enhancement—the ability to restart the bitcoin miner in case it gets killed.
“It is clear that the recently disclosed Samba vulnerability is being actively exploited in the wild by criminal groups trying to monetize their investment,” Cyphort researchers said. “We will probably see this technique spread to include spambots, start lateral spread from the compromised systems and definitely evolve into full-fledged espionage, industrial or otherwise. With the price of bitcoin hovering around $2800 and reaching new all-time records every week, there is no surprise that bitcoin miners are in fashion again.”
The Samba exploit was uncovered in May, making use of a seven-year-old bug in the open source SMB implementation. CVE-2017-7494 affects all versions of Samba from 3.5.0 onwards and can apparently be exploited with just one line of code if certain conditions are met, such as having port 445 open. As seen by Cyphort, it leaves machines vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Rapid7 has said that its analysis alone discovered over 104,000 endpoints running vulnerable Samba versions.
“We believe these vulnerable systems are likely conduits into organization networks; but it’s also likely that many of these devices are personal, IoT devices. Many home and corporate network storage systems also run Samba, and it's very straightforward to enable the Samba service on any Linux endpoint,” the firm said in May.