Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malware Targets NAS Devices Via SambaCry Exploit

A piece of malware dubbed by researchers SHELLBIND leverages a recently patched Samba vulnerability in attacks aimed at Internet of Things (IoT) devices, particularly network-attached storage (NAS) appliances.

A piece of malware dubbed by researchers SHELLBIND leverages a recently patched Samba vulnerability in attacks aimed at Internet of Things (IoT) devices, particularly network-attached storage (NAS) appliances.

The Samba flaw exploited in these attacks, tracked as CVE-2017-7494 and known as SambaCry and EternalRed, can be exploited by a malicious client to upload a shared library to a writable share, and then cause the server to load that library. This allows a remote attacker to execute arbitrary code on the targeted system.

The security hole was introduced in the Samba code in 2010 and it was patched in May. Since the Samba interoperability software suite is highly popular, the vulnerability affects the products of several major vendors, including NAS appliances.

Roughly two weeks after the patch was released, security firms noticed that the vulnerability had been exploited to deliver a cryptocurrency miner.

In early July, researchers at Trend Micro spotted another type of attack involving SambaCry. Cybercriminals have been exploiting the vulnerability in attacks targeting NAS devices used by small and medium-size businesses. The malware they have been using works on various architectures, including MIPS, ARM and PowerPC.

Attackers can leverage the Shodan Internet search engine to identify devices using Samba and write the initial malware files to their public folders.

According to Trend Micro, ELF_SHELLBIND.A is delivered as a SO file to Samba public folders and loaded via the SambaCry vulnerability. Once it’s deployed on the targeted system, the malware contacts a command and control (C&C) server located in East Africa. The threat modifies firewall rules to ensure that it can communicate with its server.

“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” explained Trend Micro researchers.

Users can protect their systems against these attacks by ensuring that Samba is up to date. Another mitigating factor is the need to have writable access to a shared location on the targeted system.

Related Reading: Multiple Zero-days Disclosed in Western Digital NAS Storage Devices

Related Reading: NAS Devices Used to Spread Cryptocurrency Mining Malware

Related Reading: Critical Vulnerabilities Patched in QNAP Storage Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.