Profit-Motivated Hackers Exploiting Linux Samba Vulnerability to Mine Cryptocurrency

An unidentified threat actor is currently targeting Linux servers running unpatched versions of Samba and installing software designed to mine the cryptocurrency, Monero. As the value of cryptocurrency continues to grow and the resource-intensive process of mining remains difficult and costly to conduct at home, profit-motivated hackers are increasingly shifting to vulnerability exploitation to conduct their cryptocurrency mining operations. Last month, two new botnets, Bondnet and Adylkuzz, were discovered attempting to exploit server and operating system vulnerabilities for the purpose of mining Monero. The NJCCIC has also recently received an incident report indicating the discovery of a cryptocurrency mining executable on a server that was compromised by an external threat actor. On May 25, 2017, the NJCCIC Weekly Bulletin included a patch alert for CVE-2017-7494, advising users and administrators of affected Linux systems apply the patch as soon as possible. However, there are nearly 1,000 servers within New Jersey that are still running vulnerable versions of Samba. The NJCCIC would like to remind Samba users and administrators to review the security advisory, upgrade Samba to version 4.4.14, 4.5.10, or 4.6.4, apply the patch to versions 4.4.13, 4.5.9, and 4.6.3, or apply the available workaround if patching is unavailable. Additionally, monitor all servers and systems for unusual processes, temperature changes, and excessive and abnormal CPU and GPU usage. Also, monitor network traffic for anomalies and connections to peer-to-peer networks. For more information and detection strategies, please review the SANS Institute whitepaper Detecting Cryptocurrency Mining in Corporate Environments.