Attackers are free-riding Linux servers with an unpatched Samba bug to mine for the monero cryptocurrency.
Now would be a good time install a patch released by open-source project Samba on May 25. Security firm Rapid7 found over 100,000 Linux machines open on the internet via ports 445 and 139 that were running versions of Samba vulnerable to remote code execution.
Samba provides file- and print-sharing services between Windows and Linux machines using the SMB protocol. That the Samba bug was wormable drew comparisons to the WannaCry ransomware outbreak, which relied on a flaw in the Windows implementation of SMB to rapidly spread on networks.
There hasn't been an equivalent outbreak of ransomware using the Samba bug but attackers began to exploit it for profit almost immediately after the patch was released, according to researchers from Kaspersky Lab.
Instead of installing ransomware, the Samba attackers install a cryptocurrency miner to turn a profit from Linux machines in the form of the monero, an alternative to bitcoin that is less computationally demanding to mine.
In the wake of WannaCry, security researcher Kafeine discovered malware called Adylkuzz that used the same SMB exploit to infect Windows machines for the purpose of mining monero. And last week security firm Doctor Web uncovered what appeared to be an early experiment to recruit Raspberry Pi devices into a monero-mining botnet.
The Samba-led mining scheme appears to be having moderate success at generating money, although Kaspersky does not know how large the network of infected machines is.
Over a month, the attackers have gained 98 moneros (XMR), worth about $5,500. That's far less Adylkuzz, which generated tens of thousands per month with over 150,000 infected Windows machines.
Nonetheless, according to Kaspersky, the monero-mining Linux botnet is growing. Initially it was generating about one XMR per day, but by early June it was generating about five XMR per day.
"This means that the botnet of devices working for the profit of the attackers is growing," note Kaspersky Lab researchers.
The Samba attackers exploit the flaw to install a malicious Samba plugin that runs with super-user privileges. However, the attackers must guess the path where files can be stored on the drive to execute as a Samba server process.
Exploit modules for the bug were appearing on Rapid7's open-source Metasploit framework soon after the patch. This location appears to be where criminals sourced the Samba exploit for the new cryptocurrency mining botnet.
"It's worth noting that a similar payload can be found in the implementation of the SambaCry exploit in Metasploit," Kaspersky researchers note.