U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SambaCry is reality, crooks are abusing CVE-2017-7494 to spread miners

Security experts from Kaspersky confirmed that threat actors in the wild are exploiting the SambaCry vulnerability CVE-2017-7494 to spread a miner. At the end of May, a seven-year-old remote code execution vulnerability affecting all versions of the Samba software since 3.5.0 was patched by the development team of the project. An attacker can exploit the CVE-2017-7494 […]

samba CVE-2021-44142

Security experts from Kaspersky confirmed that threat actors in the wild are exploiting the SambaCry vulnerability CVE-2017-7494 to spread a miner.

SambaCry allows a remote hacker to take full control of a vulnerable Linux and Unix system.

nt pipe support = no

to their Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.

When SambaCry was discovered, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet.

Security researcher speculated that a rapid increase in the number of cyber attacks leveraging the SambaCry issue, just like WannaCry attacks.

sambacry

Researchers at Kaspersky Lab set up honeypots to detect SambaCry attacks in the wild. The experts have spotted a malware campaign that is exploiting SambaCry vulnerability to infect Linux systems and install a cryptocurrency miner.

“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!” reported Kaspersky.

The independent security researcher Omri Ben Bassat‏ also observed the same campaign that he dubbed “EternalMiner.” The expert confirmed threat actors started exploiting the SambaCry flaw just a week after its discovery to hijack Linux PCs and to install an upgraded version of “CPUminer,” a Monero miner.

Once compromised a Linux Machine exploiting the SambaCry vulnerability, attackers execute two different payloads on the targeted systems:

  • INAebsGB.so — A simple reverse shell that allows a remote attacker to access the target system.
  • cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.

“the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware” Kaspersky researchers say.

According to Kaspersky, threat actors behind this campaign have already earned 98 XMR, which worth USD 5,380 today. The experts believe that crooks could earn much more with the increase in the number of compromised Linux systems.

“The mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.,” the researchers say.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-7494, SambaCry)

[adrotate banner=”13″]