SambaCry Vulnerability Used to Deploy Backdoors on NAS Devices

Share this…

Someone is using the SambaCry vulnerability to install a backdoor trojan on Linux devices running older versions of the Samba file-sharing server.

According to experts from Trend Micro, most of the attacks have targeted network-attached storage (NAS) appliances, some of which ship with the Samba server to provide file-sharing interoperability between different operating systems.

SHELLBIND backdoor deployed via SambaCry exploit

The malware, nicknamed by researchers SHELLBIND, leverages a vulnerability named SambaCry (or EternalRed) that was publicly disclosed at the end of May 2017.

The vulnerability — CVE-2017-7494 — affects all versions of the Samba software released in the last seven years, from version 3.5.0 onwards.

Two weeks after the Samba team patched its software and vulnerability details became public, someone used SambaCry to infect Linux servers and install a cryptocurrency miner named EternalMiner.

SHELLBIND opens a backdoor on port 61422

Attacks spreading EternalMiner continued in the last month, but earlier today, Trend Micro released a report about the new SHELLBIND malware that was also spotted dropped as the final payload in attacks leveraging SambaCry exploits.

According to researchers, SHELLBIND is a simple backdoor trojan that allows attackers to open a remote shell on infected devices.

The trojan is configured to alter local firewall rules and open TCP port 61422, so the attacker can connect to compromised devices.

SHELLBIND informs its author that it infected a new device by pinging a server located at 169[.]239[.]128[.]123 via port 80. The malware author extracts new IPs from server logs and manually connects to each infected host via port 61422.

Access to SHELLBIND’s shell is password protected. The password was hard-coded in the trojan’s code and is “Q8pGZFS7N1MObJHf”.

SHELLBIND most likely used for data theft

Compared to EternalMiner, which targeted mainly Linux servers, SHELLBIND was spotted mainly on NAS devices, albeit it also infected other types of IoT equipment running vulnerable Samba versions.

Based on the malware’s features and the nature of its targeted attacks, it’s safe to speculate that a threat actor is looking for data to steal and possibly sell on underground hacking forums, or use to hold companies for ransom.

This event is not the first security incident affecting NAS devices. Earlier in the year, security researcher Zenofex discovered several vulnerabilities affecting several WD MyCloud NAS device models.

In September 2016, a malware variant named Mal/Miner-C (also known as PhotoMiner) infected Seagate NAS devices and used them to mine for the Monero cryptocurrency.