Thousands of NAS devices infected with malware through public FTP write access

Owners of Seagate NAS devices should check whether the FTP server has a public shared folder with write access as it can be abused by cybercriminals to serve malware. According to a report from antivirus vendor Sophos the majority of specifically Seagate Central NAS devices have been infected.



The cybercriminals upload malware called Miner-C to the NAS that is used to mine the digital currency Monero on systems it infects. Worldwide more than 5,000 NAS servers are infected with Miner-C, according to Sophos. The infected NAS devices are used to infect other computers. To get FTP access the malware uses a list with usernames and passwords that is used to login.

As soon as the malware has access it copies itself and adds an iframe pointing to a .SCR or .ZIP file to .HTML and .PHP files that are on the NAS. When these files are opened the user is asked whether he wants to save the file. When the file is opened the computer of the NAS owner also becomes infected and is used for mining the Monero cryptocoin. The infected computer is also used to search for other vulnerable FTP servers.

The Seagate Central NAS devices are especially vulnerable because due to a design flaw these devices contain a public folder and public account that are enabled by default and can’t disabled.

When remote access is turned on, the public accounts on the Seagate device are accessible by anyone. Attackers abuse this feature to add malware to the NAS which has a Photos folder by default. This folder is used by attackers to add a file called Photos.scr which has the icon of a Windows folder. Because Windows doesn’t show file extensions by default, it tricks user into thinking it’s a photo folder. As soon as it’s opened the computer is infected.

Almost all Seagate Central NAS devices are infected by Miner-C malware, according to Sophos. In total the antivirus vendor discovered more than 5100 infected NAS servers. About half of all Monero cryptocoins is mined by the infected devices.

09 September 2016