SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry


Last month on Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. Everything from personal computers to corporate and university networks were affected by this campaign. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. On March 14th 2017, Microsoft released MS17-010, a security update, that addressed and patched six CVEs. Five were remote code executions and the sixth was related to information disclosure.

A month later the Shadow Brokers, a hacking group that targets the NSA, leaked hacking tools from the Equation Group. These tools included FuzzBunch, an exploitation framework similar to Metasploit. Inside of FuzzBunch there was an exploit called EternalBlue and a payload called DoublePulsar. EternalBlue is an exploit that targets Microsoft’s SMB Protocol. The exploit allowed the attackers to send a specially crafted message to gain unauthorized access to machines around the world. Once accessed, the payload DoublePulsar is delivered and triggered to download WannaCry. After being infected with WannaCry, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.

FuzzBunch via Miguel Diaz Lira

On May 10th, CVE-2017-0144, Microsoft Windows Server 2008 R2 (x64) – ‘SrvOs2FeaToNt’ SMB Remote Code Execution was added to ExploitDB and leveraged exploits disclosed in MS17-010. Two days later the WannaCry campaign broke out and infected computers all around the world. Upon infection, WannaCry ransomware executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCry ransomware will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the requests to a sinkhole, thereby effectively preventing this variant from spreading further.


[You might also like: WannaCrypt]

On May 13th another researcher, @msuiche, discovered a second variant with a different killswitch. @msuiche also registered the domain and directed the request to his own sinkhole, preventing the spread of the second variant. Around May 17th the sinkhole operators reported DDoS attacks targeting the sinkholes, a likely move to take the domain offline so the WannaCry variants could infect their victims. A third variant even surfaced that did not rely on a killswitch. A few days later, decryption tools started coming out for Windows. As individuals and corporations patched their systems around the world, infections decreased but we are still seeing scans against port 445 as the number one attack against our honeypots. At the time of writing the original Bitcoin wallets received 326 payments totaling 51.618 BTC or $144,095 and targeted over 100 countries.


While investigating WannaCry, Kafeine reported that an exposed ProofPoint honeypot vulnerable to EternalBlue was attacked within 20 minutes of exposure. Expecting to see WannaCry, they were actually infected with a cryptocurrency miner, Adylkuzz. Infection of Adylkuzz ultimately caused service degradation for infected devices. It was revealed by ProofPoint that this campaign leveraging the same exploits used by WannaCry predated the ransomware campaign. It was also revealed in ProofPoints’ research that Adylkuzz, upon infection, shut down the SMB protocol to prevent further infection from different types of malware using the same exploit. In parallel with mitigating WannaCry, users patching against the SMB vulnerability also were protecting their devices from Adylkuzz.

Kafeine’s research related to Adylkuzz

Samba, an open source software that provides Windows file sharing access to non-Windows machine using SMB/CIFS protocol recently disclosed a similar remote code execution vulnerability to WannaCry that allows users authorized access via the SMB protocol. There is even a working exploit leveraging CVE-2017-7494 for Metasploit. Linux.MulDrop.14, as reported by Dr.Web, is a Linux Trojan that is currently delivering a crypto-mining program and targeting raspberry Pi’s that have default credentials. This piece of malware is exploiting the recent disclosure from Samba in CVE-2017-7494. It’s also reported that this strain of malware downloads zmap and sshpass so it can search the network for devices with port 22 open to infect.

In all cases, attackers are aggressively scanning the internet looking for vulnerable devices with port 445 exposed. The reason why so many machines were infected during the campaign was due to users neglecting to install security updates in a timely fashion. In the case of WannaCry, Microsoft’s security update was released a month before the Shadow Brokers leaked the FuzzBunch framework that included the exploits and payload used in the campaign. The best prevention for attacks in general is through maintenance and patching. Users need to get into a habit of patching their devices on a regularly basis, segmenting networks when possible and changing default credentials.

Read “Cyber-Security Perceptions and Realities: A View from the C-Suite” to learn more.

Download Now


  1. “a similar remote code execution vulnerability to WannaCry that allows users authorized access”

    WannaCry is a piece of malware, not a vulnerability. Wanacry is one of the potential payloads when cve-2017-0144 is exploited. Other payloads have been dropped when cve-2017-0144 was exploited.

    In an unfortunate exploitation of marketing, the vulnerability CVE-2017-7494 was dubbed SambaCry. WannaCry is nothing at all like SambaCry. One is a payload, the other is a vulnerability and neither is an exploit.

    You might want to correct this article

  2. Der Artikel ist wirklich gut. Das Thema hat mich schon interessiert
    und ich konnte hier noch einiges interessantes finden. Ich freue mich, weitere Blogeinträge
    zu lesen. Danke und Grüße aus Heidelberg Marco

  3. Si no puede actualizar Outlook 2010 a una versión compatible, por ejemplo,
    por el hecho de que las directivas de su organización no lo permiten, vaya al Paso 3: Comenzar el proceso de configuración de la nueva cuenta De este modo,
    tendrá acceso al correo, pero no podrá utilizar el calendario, los
    contactos ni las tareas. Alex todo mi sueño se hizo por medio de re_uniting mi matrimonio,
    amigos en el caso de que necesite la ayuda de Porfavor ayudenme a recuperar mi contrasen?a de fb la he olvidado y la nesesito!

    Alex todo mi sueño se hizo mediante re_uniting mi matrimonio, amigos caso de
    que necesite la ayuda de De esta manera sólo hay que acceder
    a la página de WhatsApp Web , donde es posible ver un código QR con cuadrados para ser
    escaneado por el usuario. Alex el gran lanzador de hechizos que fue capaz de
    traer a mi marido de vuelta a casa, el Pasamos al tercer apartado donde tendremos que seleccionar 2 de las 3 modalidades
    para poder recuperar la contraseña que tenemos
    a nuestra disposición y que son agregar un número de
    teléfono móvil, emplear una cuenta de correo alternativa añadir una pregunta
    de seguridad.


Please enter your comment!
Please enter your name here