An unknown threat actor is using a vulnerability in Samba installations to take over Linux machines and use them as pawns in a vast cryptocurrency mining operation.

According to public data, their actions started about five days after the Samba team announced they patched CVE-2017-7494, a vulnerability in all Samba versions released since 2010.

Because the vulnerability is exploitable via the SMB protocol, and because the issue came to light so close to the WannaCry ransomware outbreak, some researchers started referring to the bug as SambaCry or EternalRed.

Attacks started on May 30

At the technical level, a successful SambaCry exploit would allow an attacker to open a "pipe" on Samba servers, upload malicious code, and have it executed. Depending on the attacker's skill level, one could very easily achieve full server takeover.

This is exactly what happened. Starting around May 30, one such threat group has carried out mass scans that were looking for vulnerable Samba file sharing servers.

After finding exposed Samba installations, the attacker tested his ability to upload and execute code by loading eight files on a user's machine.

If he was successful, he then uploaded two malicious files. The first was a remote shell with full root access, while the second was a modified version of a popular cryptocurrency mining tool called cpuminer.

The attacker uses the remote shell to install the modified cpuminer, which some researchers have started calling EternalMiner.

Attackers made at least $5,400 in Monero

Experts from Kaspersky Labs have been on top of these attacks since the get-go. They say the crook behind this operation has been mining for the Monero cryptocurrency using the Linux machines he managed to take over.

Keeping track of the attacker was easy because he hard-coded his Monero wallet address inside EternalMiner's source code. At the time of writing, researchers said the attacker made 98 Monero, which is around $5,400 at today's price.

According to security researchers from Rapid7, at the time when the SambaCry vulnerability became public, on May 25, there were around 104,000 Internet-exposed machines that appeared to be running vulnerable versions of Samba software. The number went down as many admins patched their systems, but many vulnerable file sharing servers remained online.