SOHOpeless Seagate NAS boxen become malware distributors
All attackers have to do is upload a file into a public folder. No password. No nothing
Update Sophos researchers say they've uncovered a malware strain that targets Seagate's network-attached storage appliances and turns them into distribution points for cryptocurrency-mining malware.
Attila Marosi, a senior threat researcher, explains the attack in a document titled Cryptomining malware on NAS servers (PDF).
“Attack” is being kind: Marosi notes that the NAS at the heart of the problem - the “Seagate Central “ - has a public folder that can be written to by default when remote access is enabled. All you need to do to access that folder is FTP in with publicly-published credentials.
The Seagate Central is promoted as a great way to access your media from anywhere, so remote access is wide open on many of the devices. The malware spreads when users open the NAS device's public folder. Marosi found 7,000 of the devices online with remote access enabled, of which 70 per cent were infected by Mal/Miner-C malware, which mines the minor cryptocurrency Monero.
Marosi speculates that the malware's masters figured out that Bitcoin are harder to mine, but that a newer cryptocurrency would be easier to coin. But the crims behind the malware are picky: the first thing it does is run a script that retrieves information on CPU and GPE, because the crims prefer machines that have enough grunt to do a lot of hashing and therefore coin it faster.
The Seagate boxen eventually contributed about 2.5 per cent of the malware's mining colony, yielding around US$86,000 over six months.
The market for small NAS devices is tiny, so this kind of attack is not likely to make a massive impact. On the downside, the small size of the market means it may not be attracting top-notch security thinkers as open FTP access is pretty amazingly bad even by the standards of the SOHOpeless security so often found in devices intended for home use. ®
Update: Seagate has been in touch to say it was "made aware of a potential security issue related to the use of Seagate Central network storage and malware targeting FTP users. The solution for customers to help protect themselves from this risk is to utilize the provided secure remote access feature." "Seagate Central offers remote access through various methods including secure remote access and anonymous/secured FTP. A majority of Seagate Central customers use the provided secure remote access. Seagate encourages users to utilize the secure remote access as the default method and to ensure that port forwarding of FTP is turned off."
"Advanced users may choose to the use FTP and can enable port forwarding to utilize the FTP features. FTP anonymous access would require a user to expose the device to the internet through port forwarding in their router."
The company did not contend Sophos' assertion that around 5,000 of the devices have been compromised.
Second Update Seagate has since been in touch a second time to say the update above was not its final or offical comment and that the final form of words will reach us later today sometime. When it does, we'll add a third update to this story.