Thursday, March 28, 2024

SambaCry Vulnerability used in Deploying Payloads Targeting IoT devices Particularly NAS

Attackers using the SambaCry vulnerability to target older versions of Samba(3.5.0) to upload and execute the malicious payload. SambaCry Vulnerability(CVE-2017-7494) have the similarities of SMB vulnerability exploited by WannaCry.

Security experts from TrendMicro detected a Malware ELF_SHELLBIND.A which is similar to the functionality of SambaCry and this is the first payload with SambaCry that doesn’t have Cryptocurrency miner.

ELF_SHELLBIND targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses. ELF_SHELLBIND also targets different architectures, such as MIPS, ARM, and PowerPC.

Also Read SambaCry Vulnerability used by Hackers to attack Linux Servers and Mine’s Cryptocurrency

Execution flow

An attacker can find devices that vulnerable to Samba through Shodan(port 445) and then they prepare a script to automatically append malicious file on every IP. Once they successfully uploaded the files then they are victims of ELF_SHELLBIND.

Then after uploading malicious,(.SO) file in shared folder attacker need to trick server by sending an IPC request to run the locally stored file. Once executed it calls to change_to_root_user to run as root user and connect to Command and Control (C&C) server in East Africa “169[.]239[.]128[.]123” over TCP, port 80.

Then attackers obtain the system IP address and communications established over port 61422 and then malware wants the attacker to enter password Hardcore in it, once an attacker enters password then it grants access.

Once connection established successfully attacker have the command shell open and can get full control over the server, malware executes whatever command it received.

Mitigations

OS patches have been released already and the users who update in regular basis have no problems. If you have Samba enabled then the manufacturers have not yet patched, then the devices are vulnerable.

Also Read CoinDash Suffered a Hacking Attack And Stolen $7 Million Worth Ethereum Cryptocurrency

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles