Attackers run patch routine after compromising the device

Dec 17, 2014 10:22 GMT  ·  By
Cybercriminals exploit Shellshock flaw to compromise NAS devices from QNAP
7 photos
   Cybercriminals exploit Shellshock flaw to compromise NAS devices from QNAP

Although a fix against the Shellshock bug has been released, many network attached storage (NAS) devices remain vulnerable to the glitch in the Bash command processor for Linux and Unix systems, cybercriminals still relying on it to take control of the devices.

The attack aims at QNAP NAS devices that have not been immunized against Shellshock and relies on a simple method to achieve the compromise.

Common attack vector is used

It targets the “/cgi-bin/authLogin.cgi” file, which launches the administrative log-in page for the storage unit; calling it does not require authentication, thus allowing an untrusted individual to add arbitrary commands and execute them.

This is a common attack vector which has been presented by researchers at FireEye at the beginning of October.

QNAP rolled out a firmware that included a patch against Shellshock on October 5, but the procedure was not automatic, so clients had to initiate the update check manually. Needless to say that many did not bother to do it, leaving the NAS open to compromise.

Johannes B. Ullrich, dean of research at SANS Technology Institute, says that the attackers exploit the flaw in order to launch a simple shell script responsible for downloading and executing other pieces of malware.

According to him, the purpose of the compromise seems to be implementing “a click fraud script against advertisement network ‘JuiceADV’,” a blog post explains.

Malware patches device against Shellshock after compromise

Ullrich notes that the malware also includes instructions to create a hidden folder on the infected systems, which stores scripts and files downloaded from the command and control machine.

It appears that the malware changes the DNS server address to 8.8.8.8 and creates an SSH server that communicates on port 26. Additionally, an extra administrator account is created on the device, with the name “request.”

Ullrich says that the autorun file on the NAS device is also modified, so that it runs backdoors when it starts up.

However, the most interesting part is that the malware downloads and installs the necessary patch against Shellshock for the affected device; then the unit is rebooted for the changes to be applied properly.

This last step of the attack has been seen before and its purpose is to ensure that other attackers are not able to gain control of the device. Also, when checking for vulnerabilities, owners will find that the system is safe from Shellshock and may not check if the device is infected.

The bug in Bash was discovered in mid-September and was disclosed to the public on September 24. At that time, a patch had already been created for major Linux distributions, but the problem was not fixed completely, and more than this, it re-occurred, prompting the release of several other patches.

QNAP NAS under attack (7 Images)

Cybercriminals exploit Shellshock flaw to compromise NAS devices from QNAP
TS-870 Pro network attached storage from QNAPTS-459 PRO II network attached storage from QNAP
+4more