Worm Burrows Into Storage Servers Via Shellshock Flaw

Attackers are targeting a popular brand of network-attached storage (NAS) systems using the well-known Shellshock vulnerability to compromise the devices and install a backdoor that automatically scans for more potential victims, according to security researchers.

The attack, which qualifies as a worm, uses a previously known vulnerability in popular NAS devices made by QNAP, according to an analysis published by the SANS Institute. While the Shellshock vulnerability affects the Bourne Again Shell (BASH), a popular terminal program on Linux and Unix systems, attackers can trigger the vulnerability through other programs that use the shell for scripting. In this case, the attack exploits a Web script on the QNAP storage servers.

Exploited

Storage systems—many of which have a built-in Web server as a management interface—will continue to be a popular target of attackers because they typically house valuable data, Johannes Ullrich, dean of research for the SANS Technology Institute, told eWEEK.

“They are pretty capable servers, but also rich in vulnerabilities and there typically is no easy way to patch them,” he said. “Also, there is no alert [that a patch is available] unless you connect to the device, which you don’t normally do.”

The critical vulnerability in the BASH program, widely known as Shellshock, was disclosed on Sept. 24. Attackers quickly began exploiting the software bug using a popular Web scripting framework known as the Common Gateway Interface (CGI). Within the first week, security firm Imperva recorded more than 36,000 campaigns seeking out and attacking systems with the vulnerability.

In October, security firm FireEye warned that attackers had also begun targeting QNAP network attached storage (NAS) systems through its CGI scripts.

“All the targets we have observed thus far have been openly accessible QNAP NAS systems hosted on networks belonging to universities and research institutes in Japan and Korea, as well as one in the U.S.,” FireEye said in its own analysis in October.

Exposure

Adding automatic propagation to the attack quickens the spread of the backdoor program, but also makes the attack more obvious. Many NAS systems are designed to be connected directly to the Internet, giving attackers a large population of targets.

While QNAP warned systems administrators to disconnect the devices until they patched the systems, the SANS Institute’s Ullrich recommended that such devices be placed behind a firewall, at the very least.

“The features are designed with them being exposed, however,” he said. “They do not come to a big warning to not connect them to the Internet, just the opposite.”

The compromised QNAP servers not only scans for new victims, but also conduct advertising click-fraud, a scam that generates affiliate ad revenue by clicking on advertising links.

Are you a security pro? Try our quiz!

Originally published on eWeek.