Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices.

The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet.

Hackers planting shells on DNA sequencer web apps

Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations.

The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017.

Anubhav says the attackers are using this vulnerability to plant shells that allow them to control the underlying web server from remote locations.

Attack motives unknown

It is unclear how the group is using these backdoors into hacked systems, post infection. Anubhav says there could be two scenarios.

In the first, the attacker may be looking to exfiltrate hashes of DNA sequences from the application's database.

"DNA theft in specific cases can be fruitful," Anubhav said. "Either it can be sold on the black market, or a high profile attacker can actually be looking for a specific person's data."

Second, and the most plausible scenario, is that the attackers might be using the infected servers as part of a botnet, or using the shell to plant cryptocurrency miners on the hijacked systems.

A previous ZDNet report highlighted that most IoT botnets nowadays are the works of attention-seeking kids that take random exploits from the ExploitDB exploit database and assemble botnets at random.

This might be one of those cases, with this botnet's author using an exploit at random, not knowing what they're actually targeting.

"This particular attack may not be useful for a script kiddie or a botnet operator," Anubhav said, pointing out that there are only between 35 and 50 such highly-complex DNA sequencer apps available online, a number far too small to build a botnet around.

Group also targeted routers and Struts servers

Furthermore, the theory that this might be the work of a script kiddie playing with random exploits, rather than a nation-state sponsored group, becomes more believable when we look at the historical activity coming from the attacker's IP address.

Per NewSky's own records, the attacker has been seen using the nmap tool to scan the internet and attempt to use two other exploits to take over systems -- one for Zyxel routers, and a second for Apache Struts installations.

"We can not decide on the motive of these attacks just yet," Anubhav told ZDNet. "Regardless, the DNA sequencer systems which hold this confidential information can get pwned."

With the vendor refusing to patch the security flaw back in 2017, these systems remain open for attacks.

The dangers that these systems pose can only be evaluated on a per-case basis. If the DNA sequencing data is anonymized, any stolen data will most likely be useless. If not, then a serious breach may occur if the hackers have stolen any info from these systems.

Sure, DNA data may be useless right now, but with biometric solutions spreading every year, non-anonymized data might be actually worth something in a few years from now.

More IOCs about this attack are available in Anubhav's report.

Related malware and cybercrime coverage: