Thursday, February 13, 2025
HomeMalwareSambaCry Vulnerability used in Deploying Payloads Targeting IoT devices Particularly NAS

SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices Particularly NAS

Published on

SIEM as a Service

Follow Us on Google News

Attackers using the SambaCry vulnerability to target older versions of Samba(3.5.0) to upload and execute the malicious payload. SambaCry Vulnerability(CVE-2017-7494) have the similarities of SMB vulnerability exploited by WannaCry.

Security experts from TrendMicro detected a Malware ELF_SHELLBIND.A which is similar to the functionality of SambaCry and this is the first payload with SambaCry that doesn’t have Cryptocurrency miner.

ELF_SHELLBIND targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses. ELF_SHELLBIND also targets different architectures, such as MIPS, ARM, and PowerPC.

Also Read SambaCry Vulnerability used by Hackers to attack Linux Servers and Mine’s Cryptocurrency

Execution flow

An attacker can find devices that vulnerable to Samba through Shodan(port 445) and then they prepare a script to automatically append malicious file on every IP. Once they successfully uploaded the files then they are victims of ELF_SHELLBIND.

Then after uploading malicious,(.SO) file in shared folder attacker need to trick server by sending an IPC request to run the locally stored file. Once executed it calls to change_to_root_user to run as root user and connect to Command and Control (C&C) server in East Africa “169[.]239[.]128[.]123” over TCP, port 80.

Then attackers obtain the system IP address and communications established over port 61422 and then malware wants the attacker to enter password Hardcore in it, once an attacker enters password then it grants access.

Once connection established successfully attacker have the command shell open and can get full control over the server, malware executes whatever command it received.

Mitigations

OS patches have been released already and the users who update in regular basis have no problems. If you have Samba enabled then the manufacturers have not yet patched, then the devices are vulnerable.

Also Read CoinDash Suffered a Hacking Attack And Stolen $7 Million Worth Ethereum Cryptocurrency

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Global IoT Data Leak Exposes 2.7 Billion Records and Wi-Fi Passwords Worldwide

A massive security lapse has exposed over 2.7 billion records, including sensitive Wi-Fi credentials,...

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed "Ratatouille" (or I2PRAT), is raising alarms in the cybersecurity...

EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical...