Worm Burrows Into Storage Servers Via Shellshock Flaw

Attackers are targeting a popular brand of network-attached storage (NAS) systems using the well-known Shellshock vulnerability to compromise the devices and install a backdoor that automatically scans for more potential victims, according to security researchers.

The attack, which qualifies as a worm, uses a previously known vulnerability in popular NAS devices made by QNAP, according to an analysis published by the SANS Institute. While the Shellshock vulnerability affects the Bourne Again Shell (BASH), a popular terminal program on Linux and Unix systems, attackers can trigger the vulnerability through other programs that use the shell for scripting. In this case, the attack exploits a Web script on the QNAP storage servers.

Exploited

Storage systems—many of which have a built-in Web server as a management interface—will continue to be a popular target of attackers because they typically house valuable data, Johannes Ullrich, dean of research for the SANS Technology Institute, told eWEEK.

“They are pretty capable servers, but also rich in vulnerabilities and there typically is no easy way to patch them,” he said. “Also, there is no alert [that a patch is available] unless you connect to the device, which you don’t normally do.”

The critical vulnerability in the BASH program, widely known as Shellshock, was disclosed on Sept. 24. Attackers quickly began exploiting the software bug using a popular Web scripting framework known as the Common Gateway Interface (CGI). Within the first week, security firm Imperva recorded more than 36,000 campaigns seeking out and attacking systems with the vulnerability.

In October, security firm FireEye warned that attackers had also begun targeting QNAP network attached storage (NAS) systems through its CGI scripts.

“All the targets we have observed thus far have been openly accessible QNAP NAS systems hosted on networks belonging to universities and research institutes in Japan and Korea, as well as one in the U.S.,” FireEye said in its own analysis in October.

Exposure

Adding automatic propagation to the attack quickens the spread of the backdoor program, but also makes the attack more obvious. Many NAS systems are designed to be connected directly to the Internet, giving attackers a large population of targets.

While QNAP warned systems administrators to disconnect the devices until they patched the systems, the SANS Institute’s Ullrich recommended that such devices be placed behind a firewall, at the very least.

“The features are designed with them being exposed, however,” he said. “They do not come to a big warning to not connect them to the Internet, just the opposite.”

The compromised QNAP servers not only scans for new victims, but also conduct advertising click-fraud, a scam that generates affiliate ad revenue by clicking on advertising links.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago