Samba

Samba released a security advisory notifying users that threat actors are exploiting a seven-year old remote code execution vulnerability, CVE-2017-7494, known as “SambaCry” or “EternalRed,” affecting all unpatched versions of Samba from 3.5.0 up. Samba issued versions 4.6.4, 4.5.10, and 4.4.14 as security releases to address the vulnerability and patches are available for earlier versions. Threat actors are reportedly exploiting this vulnerability to install a backdoor trojan, dubbed “SHELLBIND,” on Linux devices running the vulnerable versions of the Samba file-sharing server. Successful exploitation of this vulnerability could allow a remote threat actor to execute a shared library from a writeable share and take control of the affected system. These attacks have largely targeted internet-of-things (IoT) devices, specifically network-attached storage (NAS) devices. Previous exploits against the SambaCry vulnerability were used to mine the Monero cryptocurrencyThe NJCCIC recommends all users and administrators of Samba review the security advisory, apply the necessary update or patch, and utilize whitelisting to only allow necessary ports and protocols on your network.