Hacker is targeting DNA sequencer applications from Iranian IP address

Pierluigi Paganini June 17, 2019

Threat actors are targeting Web-based DNA sequencer applications leveraging a still-unpatched zero-day to take over the targeted systems.

Starting from June 12, 2019, the researcher Ankit Anubhav from NewSky Security, observed threat actors targeting Web-based DNA sequencer applications. The attackers are leveraging a still-unpatched zero-day vulnerability, tracked as CVE-2017-6526, to gain full control over the targeted systems.

The vulnerability in dnaLIMS was reported to the vendor in 2017, but it is still unpatched.

The attackers are scanning the Internet for dnaLIMS, a web-based application to handle DNA sequencing operations, these devices are used in the research industry. The attacks were originated from the 2.176.78.42 IP address that is located in Iran.

“From June 12 – 14, we saw regular attacks from 2.176.78.42 , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to dnatools.com, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with hardware independent software tools for processing and managing DNA sequencing requests.” reads a blog post published by the expert.

The hackers leverage the vulnerability to bind a shell and take control of the web server.

Why DNA sequencing apps?

Attackers could be interested in stealing hashes of DNA sequences from the application’s database to resell them on the dark web or compromising servers to add to their botnet.

We cannot exclude that threat actor behind these attacks are using exploit available online at random in the attempt of compromise the large number of systems.

It is still unclear why attackers are targeting DNA sequencing apps, the number of these devices is limited (only a few tens of devices exposed online) and it is unlike that hackers want to use compromise systems to carry out DDoS attacks.

“The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.” concludes the expert.

“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data.

We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don’t take DNA theft seriously.”

The expert also analyzed historical activity related to the attacker’s IP address and discovered that it was also associated with nmap scans and with the use of two other exploits for Zyxel routers (CVE-2017-6884) and for Apache Struts flaw (CVE-2017-5638).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DNA sequencer applications, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment