A piece of malware dubbed by researchers SHELLBIND leverages a recently patched Samba vulnerability in attacks aimed at Internet of Things (IoT) devices, particularly network-attached storage (NAS) appliances.
The Samba flaw exploited in these attacks, tracked as CVE-2017-7494 and known as SambaCry and EternalRed, can be exploited by a malicious client to upload a shared library to a writable share, and then cause the server to load that library. This allows a remote attacker to execute arbitrary code on the targeted system.
The security hole was introduced in the Samba code in 2010 and it was patched in May. Since the Samba interoperability software suite is highly popular, the vulnerability affects the products of several major vendors, including NAS appliances.
Roughly two weeks after the patch was released, security firms noticed that the vulnerability had been exploited to deliver a cryptocurrency miner.
In early July, researchers at Trend Micro spotted another type of attack involving SambaCry. Cybercriminals have been exploiting the vulnerability in attacks targeting NAS devices used by small and medium-size businesses. The malware they have been using works on various architectures, including MIPS, ARM and PowerPC.
Attackers can leverage the Shodan Internet search engine to identify devices using Samba and write the initial malware files to their public folders.
According to Trend Micro, ELF_SHELLBIND.A is delivered as a SO file to Samba public folders and loaded via the SambaCry vulnerability. Once it’s deployed on the targeted system, the malware contacts a command and control (C&C) server located in East Africa. The threat modifies firewall rules to ensure that it can communicate with its server.
“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” explained Trend Micro researchers.
Users can protect their systems against these attacks by ensuring that Samba is up to date. Another mitigating factor is the need to have writable access to a shared location on the targeted system.
Related Reading: Multiple Zero-days Disclosed in Western Digital NAS Storage Devices
Related Reading: NAS Devices Used to Spread Cryptocurrency Mining Malware
Related Reading: Critical Vulnerabilities Patched in QNAP Storage Devices