Typically, miners purchase and invest in hardware for the sole purpose of generating cryptocurrencies such as Bitcoin, Monero, Ethereum, and Siacoin. To mine a cryptocurrency, a miner would rent out their hardware to provide services such as renting out disk space (Siacoin) or solving for difficult math problems (Bitcoin). Subsequently, miners would be rewarded based on the amount of shares they have completed.

Up to this point, some readers may have guessed the next move.

Cloud Mining for Cryptocurrencies.

Mining for free

Dubbed SambaCry (CVE-2017–7494), the attack exploits vulnerable Linux machines by uploading, and launching the mining program on the victims’ machines. Without the need to own a huge amount of hardware, the adversary is able to steadily collect mining rewards for free.

SambaCry v.s. WannaCry

The main difference with SambaCry and WannaCry is the payload on the victim’s machine. In most cases, a machine hijack attack like SambaCry could go noticeable to victims who leave their systems unmaintained. On the other hand, a ransomware like WannaCry is highly noticeable as it completely disrupts the workflow.

SambaCry (CVE-2017–7494)

According to the announcement by Samba from this link, SambaCry allows Remote Code Execution (RCE) attacks on smbd servers, and the vulnerability has existed for more than 7 years.

The vulnerability was introduced on 1st March 2010, when Samba 3.5.0 was released, and has been fixed in these versions: Samba 4.4.14, 4.5.10 and 4.6.4. Furthermore, a simple workaround was recommended for those who are unable to upgrade Samba to the fixed version.

Scale of attack

While the actual scale of attack is not known, and besides the vast amount of Linux servers out there, stripped down versions of Linux are used in most Internet-of-Things (IoT) devices. By default, these devices could be poorly configured and can have the Samba protocol open for attackers.

Lessons for both {Wanna|Samba}Cry

The patch that fixed the vulnerability which enabled EternalBlue was released a month before the widespread attack occurred. Keeping your system/software up to date would be the simplest task to mitigate known vulnerabilities.

On top of that, basic course of hardening through the principle of least privilege would effectively stop direct attacks from the network. These include, and are not limited to, disabling unused services, and disabling unused ports on the system.

Conclusion

SambaCry is only one of the many quirks that the adversaries can achieve with a remote code execution flaw. The vulnerability can be extended to complex, targeted attacks which would rake up huge damages. The importance of patching and updating if often only further emphasized when the damage is done (unfortunately). Adversaries are getting better at finding bugs, and the least that could be done would be to keep things updated to keep the attack surface low.