Are you one of those using a Seagate Central Network Attached Storage? You might be a possible victim of this issue.
Seagate’s NAS if configured for remote access expose a writable FTP directory to the Internet that attackers can abuse.
You are not the only one. Lots of publicly accessible FTP servers including the ones from Seagate’s NAS devices have been targeted by criminals to host cryptocurrency mining malware via the FTP.
This has been discovered by researchers from security company Sophos. They have named the malware as Mal/Miner-C. It is designed to infect Windows-based computers, and eventually target the CPU’s and GPU’s and hijacks its functions in order to generate Monero, which is a bitcoin cryptocurrency variant.
Basically, they utilize the resources of the infected devices. Like most cryptocurrencies, they need all the computing power to perform complex math. The process is called “mining”. They are basically hijacking devices and computers to use it for their personal gain.
There was once a time, a few years back when Bitcoin mining malware was rampant. But as the years gone by, as Bitcoin’s network grew, mining became harder for the bad guys. It has stopped being a profitable venture for them and just decided to target newer cryptocurrencies like Monero which seems easier for them to mine.
Sophos researchers found out the the Mal/Miner-C is not spread automatically. It relies on users to execute the code. Another mode they are tapping into is via compromised websites and open FTP servers
Hackers scan patiently for FTP servers that are accessible via the internet and they try to login using default and weak credentials and even attempt to login using anonymous accounts. Once successful, they obtain write access, they copy the malware to all available directories.
“Sophos counted more than 1.7 million Mal/Miner-C detections over the past six months from about 3,000 systems. Most of the affected systems were FTP servers that hosted multiple copies of the malware in different directories.”
The researchers used an internet scanning engine called Censys to identify public FTP servers that allow anonymous access with write privileges. They found 7,263 such servers and determined that 5,137 of them had been contaminated with Mal/Miner-C.
This has led to their discovery that a huge amount of those FTP servers were running on Seagate Central NAS devices. Upon their further research, the malware itself does not specifically target and single out their devices, but it was Seagate’s Central configuration that made it easier for the insecure FTP servers to be exposed over the internet.
A public folder for sharing data, by default is turned on within Seagate Central NAS. This folder cannot be disabled if the administrator enables remote access to it. Basically making it accessible to anyone online.
Take note of this:
“FTP servers that have been compromised by Mal/Miner-C contain two files, called Photo.scr and info.zip. Photo.scr is a Windows executable file, but its icon masquerades as that of a Windows folder to trick users into accidentally executing it.”