SambaCry is using a vulnerability in Samba installations to compromise Linux machines and use them as victims in a large cryptocurrency (Bitcoin or Monero or any other currency) mining process, also enables a remote attacker to hack into affected Linux systems.
Samba said in a security advisory:
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”
SambaCry can be simply exploited under specific situations, The victim should have printer-sharing port 445 reachable on the Internet, shared files should be configured to have write privileges and use known or guessable server paths for those files. If these situations are met, remote hackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.
Kaspersky Lab security researchers have detected a malware attack that is exploiting SambaCry flaw to infect Linux machines with a cryptocurrency mining malware.
Kaspersky Lab said:
“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!”
“On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!”
At the time Kaspersky doesn’t have any knowledge about the actual range of the attack. System administrators and Linux users should update their Samba software to the latest version to stop future attacks.