Starting from June 12, 2019, the researcher Ankit Anubhav from NewSky Security, observed threat actors targeting Web-based DNA sequencer applications. The attackers are leveraging a still-unpatched zero-day vulnerability, tracked as CVE-2017-6526, to gain full control over the targeted systems.
The vulnerability in
The attackers are scanning the Internet for
“From June 12 – 14, we saw regular attacks from 18.104.22.168 , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to dnatools.com, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with hardware independent software tools for processing and managing DNA sequencing requests.” reads a blog post published by the expert.
The hackers leverage the vulnerability to bind a shell and take control of the web server.
Why DNA sequencing apps?
Attackers could be interested in stealing hashes of DNA sequences from the application’s database to resell them on the dark web or compromising servers to add to their botnet.
We cannot exclude that threat actor behind these attacks are using exploit available online at random in the attempt of compromise the large number of systems.
It is still unclear why attackers are targeting DNA sequencing apps, the number of these devices is limited (only a few tens of devices exposed online
“The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.” concludes the expert.
“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data.
We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don’t take DNA theft seriously.”
The expert also analyzed historical activity related to the attacker’s IP address and discovered that it was also associated with nmap scans and with the use of two other exploits for Zyxel routers (CVE-2017-6884) and for Apache Struts flaw (CVE-2017-5638).
(SecurityAffairs – DNA sequencer applications, hacking)