SambaCry Deploying on NAS Devices

As of yesterday researchers at Trend Micro have reported someone trying to leverage the SambaCry vulnerability to install a backdoor Trojan on Linux machines running unpatched versions of Samba, a file sharing program. Researchers at Trend Micro confirmed that most of the attacks targeted network-attached storage (NAS) appliances, many of which ship with the Samba server which allows file sharing across different operating systems.

The vulnerability exploited by SambaCry (CVE-2017-7494) is not new and affects several versions of Samba. The vulnerability was patched by Samba when it became apparent that the vulnerability was being exploited by the cryptocurrency miner EternalMiner over a month ago. Despite the vulnerability being patched, it is apparent that not all users have updated their versions of Samba currently installed on their devices.

SHELLBIND opens backdoor

Researchers have termed this recent version of malware SHELLBIND. It was dropped as a final payload in attacks which leveraged the SambaCry exploit. SHELLBIND is a simple Trojan which allows attackers to open a remote shell on infected devices. The Trojan then alters the systems firewall rules once installed on the victim's system, once the firewall rules are changed it opens open TCP port 61422 in order to allow the attacker to communicate with the infected device. SHELLBIND informs the attacker by pinging a server located at 169[.]239[.]128[.]123 via port 80. The attacker can then extract new IPs from server logs. In order to access SHELLBIND one needs a password, this password is hardcoded into the Trojan. The password being Q8pGZFS7N1MObJHf. Once the password is entered the attacker can issue a number of commands which essentially allow the attacker to control the infected system.

sambacry nas

If the password is entered incorrectly the Trojan responds by bailing out. Researchers at Trend Micro concluded:

The OS patch has already been released for this vulnerability, which may limit the number of victims. Attackers also need to have writable access to a shared location in the target system to deliver the payload—another limiting factor that might stem the rate of infection. Since this vulnerability was patched in May, users who regularly update have no issue. However, Unix or Linux based devices (which comprise most IoT devices) are harder to protect. If Samba is enabled and the manufacturers have not sent out patches, then the devices are vulnerable. Users should proactively update or consult with the specific manufacturers.

SambaCry’s recent history

In late May of this year following the fiasco caused by WannaCry, researchers detected that attackers could use the above-mentioned vulnerability to create scripted and automated attacks. The cyber security industry called this vulnerability SambaCry as on the prima facie evidence it appeared startlingly similar to WannaCry. Initially, researchers saw that NAS and backup servers were most at risk. Researchers at Rapid7 saw that a direct attack by worm could render the systems backups useless.

Then in early June the cryptocurrency miner EternalMiner was detected leveraging SambaCry, or EternalRed, which used systems infected to mine for Monero using the infected systems CPU to mine for the cryptocurrency. Monero is fast becoming cyber criminal’s favored cryptocurrency due to its increased anonymity features when compared to Bitcoin. The attacker managed to make at least 98 Monero which was valued at approximately 5,400 USD at the time of the attack.

While the latest attack, SHELLBIND seems to be used solely for the attack to gain access to the infected system's data. This assumption is based on the targeted nature of the attack. The data can, in turn, be sold on the black market or used to hold companies to ransom.

NAS devices increasingly targeted

In 2016 Seagate NAS devices were infested with the Mal/Miner-C cryptocurrency miner used to mine Monero via the infected systems CPU. Researchers at Sophos discovered that “Mal/Miner-C used a very simple and well-known configuration mistake to spread itself all over the world. We decided to see just how many homes and small businesses had vulnerable devices by scanning the internet to look for them.” And concluded that “More than 70% of the servers where write access was enabled had already been found, visited and "borrowed" by crooks looking for innocent-sounding repositories for their malware.”

In March of this year at least 85 vulnerabilities were discovered in Western Digital NAS devices. These security flaws if exploited by cyber criminals could enable those attackers to bypass authentication, execute code on the device, and upload or download user data. Zenofex, the company who discovered the vulnerabilities did not inform Western Digital due to the manufacturer continually ignoring warning issued to them by researchers. The most serious of these vulnerabilities was also the easiest to exploit, the vulnerability in question was the authentication bypass issue.

This trend is particularly worrying when considering how many NAS devices are further linked to Internet of Things devices which themselves are vulnerable to attack for a variety of reasons. In the realm of cybercrime, it is important to remember nothing is sacred.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal