DNAShell : Iran based attackers utilize a DNA sequencer exploit for genetic information theft.
A popular saying is "You can change all your banking passwords, your credit card numbers,but not your DNA". Being a unique attribute for each individual, this genetic material theft can then be used for purposes such as establishing paternity, proving genealogical connections or even unmasking private medical conditions.
We observed a case where attacks originating from Iran are trying to use an exploit in a popular DNA sequencing LIMS software to bind a shell.
About the attack
From June 12 - 14, we saw regular attacks from 18.104.22.168 , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to dnatools.com, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with
hardware independent software tools for processing and managing DNA sequencing requests."
The tool is popular and is used by various institutions. A simple google dork leads us to some login portals of dnaLIMS :
The attack code is a POST request to cgi-bin/dna/sysAdmin.cgi as shown below :
The above script can be broken down into two basic parts. The first part iterates through all the environment variables. This is used to find /bin/bash or any other shell that a Unix system would be using. The code below is a safe implementation that can be used to show that it will infect find /bin/bash on a Linux system.
The second part will then take this variable, make a new raw socket that listens on port 11831 and then pass any command sent through the socket to the variable, which in this case is /bin/bash. Hence a bind shell is established.
The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.
However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons' data.
We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don't take DNA theft seriously.
Be careful when you share your DNA with a third party. Its' your hash!