{"id":3471,"date":"2014-12-29T16:07:20","date_gmt":"2014-12-29T16:07:20","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3471"},"modified":"2020-12-14T12:49:48","modified_gmt":"2020-12-14T17:49:48","slug":"shellshock-nastiness-a-worm-is-backdooring-storage-devices-using-bash-flaw","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/shellshock-nastiness-a-worm-is-backdooring-storage-devices-using-bash-flaw\/3471\/","title":{"rendered":"Shellshock NAStiness: a worm is backdooring storage devices using Bash flaw"},"content":{"rendered":"<p>Shellshock bug <a href=\"https:\/\/threatpost.com\/shellshock-worm-exploiting-unpatched-qnap-nas-devices\/109870\" target=\"_blank\" rel=\"noopener nofollow\">proved<\/a> to be \u201cwormable\u201d, and is exploiting the vulnerable network attached devices (by QNAP at least), scanning for more potential victims. While it is not exactly a Christmas time story, it\u2019s important, nevertheless. The backdoored NAS devices can be used as a staging point for other types of attacks.<\/p>\n<p>The worm opens a backdoor to QNAP NAS devices, which are in \u201csignificant\u201d use worldwide. QNAP has actually released the patch for the Bash vulnerability in its Turbo NAS products \u2013 maybe a bit late, given that the Shellshock had been discovered months prior, but still it has been done. In October. It\u2019s December now, and apparently there are still many vulnerable \u2013 i.e. unpatched \u2013 devices around. Which may cost the businesses operating them quite a lot.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>A #Shellshock-exploitnig worm attacks NAS devices #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FD6iT&amp;text=A+%23Shellshock-exploitnig+worm+attacks+NAS+devices+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>For fairness\u2019 sake applying Bash patches may be a chore. First, it\u2019s not that apparent that patch does exist unless an admin console of the device is accessed. Second, patching requires a reboot, which may be a problem if the device is used as an iSCSI target in a virtual environment. Then all VMs have to be taken down or moved to a different device. A service disruption is almost\u00a0 imminent.<\/p>\n<p>Actually, as we know, even the Linux vendors have had issues with releasing them. But it is possible, and necessary, to do ASAP.<\/p>\n<p>The worm in question targets a QNAP CGI script \/cgi-bin\/authLogin.cgi, which has been targeted by Shellshock exploits in the past, says Threatpost. The script can be accessed without authentication and the attackers in this case then launch a shell script capable of downloading additional malware.<\/p>\n<p>Backdooring this sort of a device means that attackers gain a foothold in the targeted entity infrastructure. Consequences may be unpleasant, to say the least: a ransomware slithering in through such a backdoor is not just a viable scenario \u2013 it has been actually observed before, with Synology NAS devices.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>QNAP\u2019s #NAS devices should be patched by hand or will be \u201cpatched\u201d by the worm #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FD6iT&amp;text=QNAP%26%238217%3Bs+%23NAS+devices+should+be+patched+by+hand+or+will+be+%26%238220%3Bpatched%26%238221%3B+by+the+worm+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>There is a couple of peculiarities with this worm. First, it apparently also launches a click-fraud script against the JuiceADV advertising network (money, always money). The script also creates a hidden directory where it stores downloaded scripts and files. Once on a compromised machine, it sets the DNS server to 8.8.8.8 \u2013 apparently to avoid logging of the affected domains \u2013 and creates an SSH server on port 26, added to the normal SSH server on port 22. This is apparently done for the persistence sake.<\/p>\n<p>But the most interesting thing is that the script also downloads and installs the <a href=\"https:\/\/www.kaspersky.com\/blog\/shellshock-how-to-check-and-update-potentially-vulnerable-systems\/15011\/\" target=\"_blank\" rel=\"noopener nofollow\">Shellshock<\/a>\u00a0patch from QNAP (!) \u2013 not because it is such a sweetheart, but simply to prevent any other attackers to impinge upon the infected system.<\/p>\n<p>In a nutshell, IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price.<\/p>\n<p>For more details visit <a href=\"https:\/\/threatpost.com\/shellshock-worm-exploiting-unpatched-qnap-nas-devices\/109870\" target=\"_blank\" rel=\"noopener nofollow\">this Threatpost article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shellshock bug proved to be \u201cwormable\u201d, and is exploiting the vulnerable network attached devices (by QNAP at least), scanning for more potential victims. While it is not exactly a Christmas<\/p>\n","protected":false},"author":209,"featured_media":15798,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2272,2273,838],"class_list":{"0":"post-3471","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-nas","10":"tag-qnap","11":"tag-shellshock"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/shellshock-nastiness-a-worm-is-backdooring-storage-devices-using-bash-flaw\/3471\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/shellshock-nastiness-a-worm-is-backdooring-storage-devices-using-bash-flaw\/3471\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/shellshock-nastiness-a-worm-is-backdooring-storage-devices-using-bash-flaw\/3471\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/nas\/","name":"NAS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3471"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3471\/revisions"}],"predecessor-version":[{"id":38042,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3471\/revisions\/38042"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15798"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}