Security

SOHOpeless Seagate NAS boxen become malware distributors

All attackers have to do is upload a file into a public folder. No password. No nothing


Update Sophos researchers say they've uncovered a malware strain that targets Seagate's network-attached storage appliances and turns them into distribution points for cryptocurrency-mining malware.

Attila Marosi, a senior threat researcher, explains the attack in a document titled Cryptomining malware on NAS servers (PDF).

“Attack” is being kind: Marosi notes that the NAS at the heart of the problem - the “Seagate Central “ - has a public folder that can be written to by default when remote access is enabled. All you need to do to access that folder is FTP in with publicly-published credentials.

The Seagate Central is promoted as a great way to access your media from anywhere, so remote access is wide open on many of the devices. The malware spreads when users open the NAS device's public folder. Marosi found 7,000 of the devices online with remote access enabled, of which 70 per cent were infected by Mal/Miner-C malware, which mines the minor cryptocurrency Monero.

Marosi speculates that the malware's masters figured out that Bitcoin are harder to mine, but that a newer cryptocurrency would be easier to coin. But the crims behind the malware are picky: the first thing it does is run a script that retrieves information on CPU and GPE, because the crims prefer machines that have enough grunt to do a lot of hashing and therefore coin it faster.

The Seagate boxen eventually contributed about 2.5 per cent of the malware's mining colony, yielding around US$86,000 over six months.

The market for small NAS devices is tiny, so this kind of attack is not likely to make a massive impact. On the downside, the small size of the market means it may not be attracting top-notch security thinkers as open FTP access is pretty amazingly bad even by the standards of the SOHOpeless security so often found in devices intended for home use. ®

Update: Seagate has been in touch to say it was "made aware of a potential security issue related to the use of Seagate Central network storage and malware targeting FTP users. The solution for customers to help protect themselves from this risk is to utilize the provided secure remote access feature." "Seagate Central offers remote access through various methods including secure remote access and anonymous/secured FTP. A majority of Seagate Central customers use the provided secure remote access. Seagate encourages users to utilize the secure remote access as the default method and to ensure that port forwarding of FTP is turned off."

"Advanced users may choose to the use FTP and can enable port forwarding to utilize the FTP features. FTP anonymous access would require a user to expose the device to the internet through port forwarding in their router."

The company did not contend Sophos' assertion that around 5,000 of the devices have been compromised.

Second Update Seagate has since been in touch a second time to say the update above was not its final or offical comment and that the final form of words will reach us later today sometime. When it does, we'll add a third update to this story.

Send us news
9 Comments

Will passkeys ever replace passwords? Can they?

Here's why they really should

Trump taps border hawk to head DHS. Will Noem's 'enthusiasm' extend to digital domain?

Meanwhile, CISA chief Jen Easterly will step down prior to inauguration

The only thing worse than being fired is scammers fooling you into thinking you're fired

Scumbags play on victims' worst fears in phishing campaign referencing UK Employment Tribunal

1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole

PAN-PAN! Intruders inject web shell backdoors, crypto-coin miners, more

DARPA-backed voting system for soldiers abroad savaged

VotingWorks, developer of the system, disputes critics' claims

US senators propose law to require bare minimum security standards

In case anyone forgot about Change Healthcare

Britain Putin up stronger AI defences to counter growing cyber threats

'Be in no doubt: the UK and others in this room are watching Russia'

Security? We've heard of it: How Microsoft plans to better defend Windows

Did we say CrowdStrike? We meant, er, The July Incident...

Here's what happens if you don't layer network security – or remove unused web shells

TL;DR: Attackers will break in and pwn you, as a US government red team demonstrated

First-ever UEFI bootkit for Linux in the works, experts say

Bootkitty doesn’t bite… yet

China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer

No word on when or if the issue will be fixed

Salt Typhoon's surge extends far beyond US telcos

Plus, a brand-new backdoor, GhostSpider, is linked to the cyber spy crew's operations