WARNING! Criminals Attack NAS Devices via SambaCry
The US National Security Agency (NSA) tools and the Samba hole continue to scare the sleep of administrators this week. The two-month blocked hole in the network protocol is still actively exploited by cybercriminals with success. This is clear after a report by Trend Micro, which has filed numerous attempts to attack, this time to Linux based systems - mainly IoT devices and NAS solutions.
CVE-2017-7494 or SambaCry , the name given to the vulnerability, because of the WannaCry distribution hole is successfully exploited by uploading a shared library to a networked array that is writable. After uploading the library in question, the attacked server loads it, which in turn allows the attacker to run a random code to the system.
Weeks after Samba clogs the seven-year hole in his protocol, an unknown country is beginning to exploit the vulnerability for the delivery of a battler miner. While this campaign is over, early this month, Trend Micro has reported the emergence of a new type of attack, this time on NAS devices. Attacks with ELF_SHELLBIND (as defined by the company's antivirus database) target different architectures such as MIPS, ARM, and PowerPC.
The malicious program, experts explain, is delivered via an SO file to the Samba public folders and loaded with the mentioned vulnerability. Once in the system, ELF_SHELLBIND is tied to the server controlling it. The threat successfully modifies the firewall policy to make sure that communication with the control server will go unhindered.
"Once the connection is established and the authentication is confirmed, the attacking party opens a terminal session, manages to issue a series of commands and take control of the device completely," Trend Micro explains.
Those Samba administrators who have put the patch on vulnerability do not need to worry. The company explains that while many user and server systems are probably upgraded to the latest version of the protocol, many IoT devices are still vulnerable, and delivering the necessary updates to all of them is unlikely.
*** Don't miss out on my next post! Follow me @bachoangel ***