Menu
Shellshock attacks target QNAP's network storage, FireEye says

Shellshock attacks target QNAP's network storage, FireEye says

A backdoor gives hackers full control over the NAS device, according to the security vendor

If a Shellshock attack against a QNAP device is successful, a shell script is downloaded that gives attackers persistent access, FireEye said.

If a Shellshock attack against a QNAP device is successful, a shell script is downloaded that gives attackers persistent access, FireEye said.

FireEye has detected Shellshock attacks against network-attached storage devices made by Taipei-based QNAP and used by universities and research institutes in Korea, Japan and the U.S.

The security vendor said the attacks are some of the first seen using Shellshock targeting embedded Linux, which QNAP's devices run, James T. Bennett and J. Gomez of FireEye wrote in a blog post on Wednesday.

"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS," they wrote.

QNAP's storage products are used for a variety of applications, including professional video surveillance systems using IP cameras.

Shellshock is a two-decades-old flaw in Bash, a command-line shell processor present in most Unix and Linux systems. Its discovery last week has set off a scramble to assess the potential risk, as it is easy to exploit and gives attackers full control over a vulnerable server.

QNAP warned on Sunday that its Turbo NAS products were vulnerable, advising administrators to disable Web administration, Web server, WebDAV and other applications and services that use a Web-based interface.

FireEye said taking that precaution may not mitigate the threat, as attackers could find another vulnerable entry point into an organization's systems and laterally move in order to find a NAS device.

The attack tries to get NAS devices to download a script from a remote server. That script then uploads an SSH (secure shell) key to the local authorized_keys file, which allows the hackers to log in without a password in the future, FireEye wrote.

Also installed is an ELF executable, which is a Linux backdoor that provides shell access. FireEye said that file is named "term_x86_64" or "term_i686." The servers hosting the malware are in the U.S. and Korea.

In some instances, the backdoor listens for a connection on port 58273. The backdoor serves up a shell if a packet is sent with the text "IAMYOURGOD," FireEye wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityFireEyeExploits / vulnerabilitiesmalware

Featured

Slideshows

Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
Show Comments