It’s now been one year since the WannaCry attack first struck the internet. Since that time we’ve even had other attacks exploiting similar weaknesses, such as SambaCry. And yet, one year on it seems that the underlying weakness exploited by these attacks – named EternalBlue – is still alive and well. And at least one respected security researcher believes that EternalBlue could be even more popular now than ever before.
The vulnerability CVE-2017-7494 (a.k.a. “SambaCry”) enables remote code execution, by allowing malicious clients to upload a shared library to the server, and then execute the code in this library.
Unlike the recent proliferation of ransomware, Linux clients are being co-opted into joining a botnet to mine the Monero cryptocurrency. The popular cpuminer software software is downloaded onto the machine, which then connects to a mining pool (mr.crypto-pool.fr:3333) and continues running in the background to mine cryptocurrency.
The advantage of using Monero instead of Bitcoin for the malware authors is that Monero goes to great lengths to make transactions difficult to trace. This could assist the authors in evading detection when they later decide to withdraw the funds earned from the botnet.