Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/2/2014
01:05 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Shellshock Attacks Spotted Against NAS Devices

First in-the-wild exploits found targeting QNAP network-attached storage devices.

Just a week after news of the Shellshock Bash bug went wide open, researchers believe the onslaught against the Internet of Things (IoT) has already begun. The malicious actors are starting with attacks targeting network-attached storage (NAS) devices, say researchers with FireEye, who believe these are the first in-the-wild attacks against embedded devices using the Bash remote code injection vulnerability.

According to FireEye researchers James Bennett and Josh Gomez, the attack has homed in on NAS devices made by QNAP, which is among the top manufacturers of low-cost NAS devices for consumer, SMB, and enterprise customers. These devices, along with QNAP video surveillance and network media player devices, all primarily run embedded Linux and are vulnerable to Shellshock without a patch. The way that the Bash vulnerability presents itself in these devices grants root privileges to attackers, and QNAP has warned users to completely disconnect systems from the Internet until they can patch the bug.

"We have evidence that attackers are actively exploiting the time-to-patch window and targeting embedded devices, specifically those made by QNAP, in order to append their SSH key to the authorized_keys file and install an ELF backdoor," the researchers wrote.

These attacks have so far been targeting QNAP NAS devices on networks associated with universities and research institutions in Japan and Korea, as well as an isolated case in the US. The attack attempts to instruct the target NAS to download a script that affects the device's startup environment to allow for future malicious updates, loads the malicious SSH key to allow for future password bypass, and then further cements itself with an ELF executable that gives the attacker shell access to the device and can be invoked in three different ways. FireEye warns that even if unpatched QNAP NAS devices are taken off the Internet, they could still be vulnerable to lateral attacks from inside a network.

Considering that NAS systems are used by consumers and organizations to store large amounts of data and to house databases, it is no wonder they're attracting Shellshock-armed attackers like flies to honey.

"This makes an NAS an attractive target for attackers given the broad types of data they handle," they said. "In this case, the attackers can gain full access the NAS contents as well as execute other commands."

According to  Jacob Holcomb, a researcher preparing to present at Black Hat Europe on NAS security, about half of NAS devices he's investigated can be taken over without authentication. A security analyst for Independent Security Evaluators, Holcomb recently uncovered 30 zero-day vulnerabilities in a dozen major NAS vendor products and roll them up into a proof-of-concept, self-replicating NAS worm. Holcomb believes that NAS devices can present a meaningful weakness for a number of types of attacks, including as a foothold for attackers to sprinkle infected files that could be used to send the attack to other devices on the network and as a control center for man-in-the-middle attacks against routers and network clients.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/2/2014 | 1:39:14 PM
Beyond QNAP?
NAS is a sizeable market with some well known players.  hope they are working fast and furious to close that time-to-patch window real soon.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...