Sunday, December 3, 2023

SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices Particularly NAS

Attackers using the SambaCry vulnerability to target older versions of Samba(3.5.0) to upload and execute the malicious payload. SambaCry Vulnerability(CVE-2017-7494) have the similarities of SMB vulnerability exploited by WannaCry.

Security experts from TrendMicro detected a Malware ELF_SHELLBIND.A which is similar to the functionality of SambaCry and this is the first payload with SambaCry that doesn’t have Cryptocurrency miner.

ELF_SHELLBIND targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses. ELF_SHELLBIND also targets different architectures, such as MIPS, ARM, and PowerPC.

Also Read SambaCry Vulnerability used by Hackers to attack Linux Servers and Mine’s Cryptocurrency

Execution flow

An attacker can find devices that vulnerable to Samba through Shodan(port 445) and then they prepare a script to automatically append malicious file on every IP. Once they successfully uploaded the files then they are victims of ELF_SHELLBIND.

Then after uploading malicious,(.SO) file in shared folder attacker need to trick server by sending an IPC request to run the locally stored file. Once executed it calls to change_to_root_user to run as root user and connect to Command and Control (C&C) server in East Africa “169[.]239[.]128[.]123” over TCP, port 80.

Then attackers obtain the system IP address and communications established over port 61422 and then malware wants the attacker to enter password Hardcore in it, once an attacker enters password then it grants access.

Once connection established successfully attacker have the command shell open and can get full control over the server, malware executes whatever command it received.

Mitigations

OS patches have been released already and the users who update in regular basis have no problems. If you have Samba enabled then the manufacturers have not yet patched, then the devices are vulnerable.

Also Read CoinDash Suffered a Hacking Attack And Stolen $7 Million Worth Ethereum Cryptocurrency

Website

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Booking.com Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles