All attackers have to do is upload a file into a public folder. No password. No nothing
Sophos researchers say they’ve uncovered a malware strain that targets Seagate’s network-attached storage appliances and turns them into distribution points for cryptocurrency-mining malware.
Attila Marosi, a senior threat researcher, explains the attack in a document titled Cryptomining malware on NAS servers (PDF).
“Attack” is being kind: Marosi notes that the NAS at the heart of the problem – the “Seagate Central “ – has a public folder that can be written to by default when remote access is enabled. All you need to do to access that folder is FTP in with publicly-published credentials.
The Seagate Central is promoted as a great way to access your media from anywhere, so remote access is wide open on many of the devices. The malware spreads when users open the NAS device’s public folder. Marosi found 7,000 of the devices online with remote access enabled, of which 70 per cent were infected by Mal/Miner-C malware, which mines the minor cryptocurrency Monero.
Marosi speculates that the malware’s masters figured out that Bitcoin are harder to mine, but that a newer cryptocurrency would be easier to coin. But the crims behind the malware are picky: the first thing it does is run a script that retrieves information on CPU and GPE, because the crims prefer machines that have enough grunt to do a lot of hashing and therefore coin it faster.
The Seagate boxen eventually contributed about 2.5 per cent of the malware’s mining colony, yielding around US$86,000 over six months.
The market for small NAS devices is tiny, so this kind of attack is not likely to make a massive impact. On the downside, the small size of the market means it may not be attracting top-notch security thinkers as open FTP access is pretty amazingly bad even by the standards of the SOHOpeless security so often found in devices intended for home use. ®