At the end of May, an alert was posted about a vulnerability affecting all versions of Samba from 3.5.0 and allowing an attacker to cause remote code execution.
For operation, port 445 must be open, shared files must have write privileges, and these files must have known or easy-to-guess paths. Seven years ago, the critical flaw was corrected in Samba versions 4.6.4, 4.5.10 and 4.4.14.
As Samba is the free implementation of the Microsoft Message Server (SMB) protocol for Linux distributions and UNIX systems, it was quickly mentioned in the context of WannaCry (and the EternalBlue exploit; Windows) the possibility of similar attacks. The name of SambaCry was even given (and an exploit EternalRed).
In their honeycomb systems, security researchers at Kaspersky Lab reported that they had captured an attack that took advantage of the Samba - or SambaCry - fault to infect Linux machines. However, no ransomware but a malware to undermine the crypto-currency.
In this case, it is a modified version of cpuminer to extract from crypto-open source currency Monero (XMR). An exploit that is therefore otherwise qualified as EternalMiner. More precisely, after the compromise of a vulnerable machine, two payloads are executed: INAebsGB.so and cblRWuoCc.so.
The first is a reverse-shell providing remote access and the second is a backdoor integrating the necessary for crypto-currency mining. Thanks to the reverse-shell, the configuration of an already running mining tool can be modified, or even to infect a machine with other pests.
After in particular Adylkuzz and recentlyLinux.MulDrop.14 which targets the Raspberry Pi, insidious crypto-currency mining is in any case again a trend in attacks. According to the address of the Monero wallet hardcoded in the exploit, Kaspersky Lab researchers indicate the sum of 98 XMR for the attacker on June 8, the equivalent of more than € 4,500.
After a month of mining, the size of the botnet dedicated to this activity would tend to increase, and in fact an increasing number of infected devices. "At the moment, we have no information on the actual scale of the attack," the researchers write. "However, this is an excellent reason for system administrators and ordinary Linux users to immediately update their Samba software to the latest version to avoid future problems."