Unknown attackers are trying to exploit a vulnerability in dnaLIMS, a Web based bioinformatics laboratory information management system, to implant a bind shell into the underlying web server.
Researcher Ankit Anubhav first noticed the attacks on June 12 and they are apparently still going on.
DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests.
These tools use browsers to access a UNIX-based web server on the local network, which is responsible for managing all aspects of DNA sequencing.
A simple Google search shows that dnaLIMS is used by a number of scientific, academic and medical institutions.
About the attacks
The exploited flaw – CVE-2017-6526 – stems from an improperly protected web shell included in dnaLIMS. A POST request to view its page can be used to bypass authentication checks, and this is exactly what’s happening in these attacks.
Simultaneously, the attackers are establishing a shell that binds to port 11831 on the target host and listens for incoming connections, effectively creating a permanent backdoor.
It’s hard to tell what the attackers are after. Anubhav notes that DnaLIMS installations are few and far between and believes that they would not be helpful as bots for DDoS attacks.
“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data,” he added.
But, judging by the data gathered by NewSky Security (Anubhav’s employer), the attackers are scanning the internet and attempting to deploy other exploits, namely for Zyxel routers and Apache Struts installations.
It certainly possible that the attackers are state-sponsored and are really after DNA data and using other exploits to throw off researchers, but it’s more likely that they are opportunistic hackers looking for any exposed system they can compromise.
There are more unpatched dnaLIMS vulnerabilities
CVE-2017-6526 and several other serious vulnerabilities affecting dnaLIMS (4-2015s13) were disclosed in 2017 by Shorebreak Security researchers.
The researchers have notified dnaTools, but the developers did not give any indication that the flaws will be fixed.
“We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by Shorebreak Security, we saw a funny disclosure response by the vendor, indicating they don’t take DNA theft seriously,” Anubhav noted.
Administrators are then left with limited options to protect their installations: they can place the software behing a firewall, allow only users from certain IP addresses to access the web server (or specific directories), and use VPN when remote access is performed. They can also try to pester dnaTools for fixes.
Shorebreak Security offered additional risk mitigation advice to cover all the discovered vulnerabilities.