With the news dominated by WannaCry, the malware which disrupted the NHS in the UK; you may not be aware of its similar Linux counterpart SambaCry. But you should.
SambaCry is a malware that attacks vulnerabilities in Samba. For those who don’t use Linux, Samba provides integration and networking of shared files and systems between Linux and Windows users using the Server Message Block (SMB) protocol. It is an open-source software released under the terms of the GNU General Public License; thus allowing for independent sources to modify and share their own code, which is publicly accessible.
How it works
The SambaCry vulnerability is exploited by the attacker uploading a shared object to the writeable share and causing Samba to execute this object using a bad path check in the protocol. As Samba usually runs as root (as the default port, 445, is a privileged port) this means that the code in the shared object is operating with full root permissions. Once infected, the attacker gains complete control of the target machine. In some cases, the attacker will do nothing more harmful than install crypto-currency mining software. However, in other cases it results in a lock down of data; which can be regained by paying the ransom, or relying on a backup to recover before the malware was infected.
How to stay protected
In the first instance make sure you are upgraded to the latest version of Samba. We support SLES, RedHat and Ubuntu all of which have SambaCry covered by a CVE fix. The article here from Tecmint gives clear instructions of how to update, depending on your Linux distribution.
Secondly, we recommend SELinux is turned on wherever it is installed; we have this switched on in our virtual appliance and we use it internally at Cristie for all our systems. This is important, as the shared object files uploaded by the attacker will not have the Samba SELinux context marker preventing Samba from loading them. Even if the exploit were successfully loaded, the attacking code would only run within the SELinux context of the Samba daemon which greatly limits its abilities. Without SELinux, this is where damage to the system would take place. Therefore if SELinux was switched on, this would have prevented the infection in the first place; as exploits using SambaCry could not have taken hold.
Also for another quick solution, you can turn off “nt pipe support”, as this is a requirement of the vulnerability. Linux system administrators can simply do this by adding ‘nt pipe support = no’ to smb.conf and restarting the Samba service.
Lastly we would strongly recommend that standard security tools are installed including; an intrusion detection system, a file integrity tool, anti-virus and a good firewall. Infections spread quickly and we believe strongly at Cristie in practicing defence in depth and test, test, test! So consider all of your systems as potentially accessible via the outside world and make sure you have a disaster recovery plan in place.
What to do if you are infected by ransomware
Try to determine the original date of the infection. Then restore your system from before the infection took place. Many ransomware tools will trigger their encryption function after a large interval to try and ensure that your backups also contain the infection. This procedure varies virus to virus and virus’ will attempt to cover their tracks.
Where Cristie can help
At Cristie we can use our Cristie Recover solutions along with a Post-Recovery script to recover to Points-in-Time to find a restore point that does not have the ransomware infection. If required, recover your data from later restore points using the file-level backup tools taking care to recover only data and not anything executable.
Also with our Recovery Simulator functionality, you can test ahead to make sure your backup will recover in case of such circumstances.