Attackers worm their way into QNAP NAS devices through Shellshock hole

A worm intent on creating surreptitious backdoors is actively being used to compromise unpatched QNAP network-attached storage (NAS) systems around the world by exploiting the GNU Bash Shellshock vulnerability, SANS ISC CTO Johannes Ullrich warned on Monday.

“The attack targets a QNAP CGI script, “/cgi-bin/authLogin.cgi”, a well known vector for Shellshock on QNAP devices. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware,” he explained in a post.

The attack results in a click fraud script being installed, exfiltration of yet unidentified files, the creation of an additional admin user which counts as a backdoor into the system, modification of DNS server settings, as well as in the download and installation of QNAP’s Shellshock patch (probably to keep other attackers out). According to Ullrich, infected devices have been observed scanning for other vulnerable devices.

QNAP Systems has issued a patch for the Shellshock bug in October, but there are apparently many sysadmins that haven’t yet implemented it, possibly because they didn’t know about it, and the patch is not applied automatically.

“Bugs are constantly found and fixed in the wild, but it’s still up to system administrators to keep things secure and up to date,” commented Jon French, security analyst at AppRiver.

“Many things can come in to play with why a system would still be unpatched for a well-known bug. Things like not knowing about the vulnerability to begin with, not knowing a system was running vulnerable software, or just human error of forgetting to update a system. I’m sure there are many servers out there on the internet that are still vulnerable to much older problems that are easily fixed. And we’ll probably continue to see this sort of behavior happen in the future with new and unknown bugs.”

“A lot of it comes down to human error of just not taking care of servers properly. With most new bugs found, there is almost always a quick workaround and an official patch to follow shortly. But it’s up to an administrator to stay on top of it and be aware of the problem to begin with. No one wants to find themselves a victim of something that could have been prevented by an update or changing a setting.”

Throughout November 2014, the most used vulnerability in attack campaigns against web applications was Shellshock,” noted Barry Shteiman, director of security strategy, Imperva. “It makes perfect sense for hackers to have some appetite for storage systems, at the end – that’s were unstructured data resides.”

“Hackers realize that not everyone patches and those who do often skip a patch due to compatibility issues and others. If hackers can use a dated vulnerability that cost them nothing, and still break into systems – they will, and they do,” he pointed out. “I believe that we will see Shellshock exploitation attempts even a year from now.”