Shellshock attacks target QNAP's NAS boxes, FireEye says

QNAP TurboNAS TS-251
Credit: Michael Homnick

FireEye has detected Shellshock attacks against network-attached storage devices made by Taipei-based QNAP and used by universities and research institutes in Korea, Japan and the U.S.

The security vendor said the attacks are some of the first seen using Shellshock targeting embedded Linux, which QNAP’s devices run, James T. Bennett and J. Gomez of FireEye wrote in a blog post on Wednesday.

“These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” they wrote.

QNAP’s storage products are used for a variety of applications, including professional video surveillance systems using IP cameras.

Further reading: Safe from Shellshock: How to keep your home computer safe from the Bash shell bug

Shellshock is a two-decades-old flaw in Bash, a command-line shell processor present in most Unix and Linux systems. Its discovery last week has set off a scramble to assess the potential risk, as it is easy to exploit and gives attackers full control over a vulnerable server.

QNAP warned on Sunday that its Turbo NAS products were vulnerable, advising administrators to disable Web administration, Web server, WebDAV and other applications and services that use a Web-based interface.

FireEye said taking that precaution may not mitigate the threat, as attackers could find another vulnerable entry point into an organization’s systems and laterally move in order to find a NAS device.

The attack tries to get NAS devices to download a script from a remote server. That script then uploads an SSH (secure shell) key to the local authorized_keys file, which allows the hackers to log in without a password in the future, FireEye wrote.

Also installed is an ELF executable, which is a Linux backdoor that provides shell access. FireEye said that file is named “term_x86_64” or “term_i686.” The servers hosting the malware are in the U.S. and Korea.

In some instances, the backdoor listens for a connection on port 58273. The backdoor serves up a shell if a packet is sent with the text “IAMYOURGOD,” FireEye wrote.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.