Attackers are taking over NAS devices via SambaCry flaw
A Samba remote code execution flaw patched in May is being exploited to compromise IoT devices running on different architectures (MIPS, ARM, PowerPC, etc.), Trend Micro researchers warn.
Samba is an open source implementation of the SMB/CIFS networking protocol, which provides Linux/Unix servers with Windows-based file and print services. It runs on most Linux, Unix and Unix-like systems.
Since the public revelation of its existence, the so-called SambaCry vulnerability (CVE-2017-7494) has been misused by attackers mostly to install cryptocurrency mining software on Linux servers. But in this latest campaign, most of the targets are Network Attached Storage (NAS) devices favored by small to medium businesses.
“It is quite easy to find devices that use Samba in Shodan: searching for port 445 with a ‘samba’ string will turn up a viable IP list,” the researchers explained.
“An attacker would then simply need to create a tool that can automatically write malicious files to every IP address on the list. Once they write the files into the public folders, the devices with the SambaCry vulnerability could become ELF_SHELLBIND.A victims.”
The aim of the ELF_SHELLBIND.A Trojan is simply to establish communication with the attackers’ C&C server, grant them access to the compromised device, and provide them with an open command shell in the infected systems so that they can issue any number of system commands and take control of the device.
The researchers have not mentioned what the attackers do with the compromised devices, but you can be sure it’s nothing good.
They posit that the rate of infection might end up being low, as the attackers need to have writable access to a shared location in the target system to deliver the payload, and patches for the vulnerability have been available since May.
“However, Unix or Linux based devices (which comprise most IoT devices) are harder to protect,” they noted. “If Samba is enabled and the manufacturers have not sent out patches, then the devices are vulnerable. Users should proactively update or consult with the specific manufacturers.”