Seagate NAS boxes found host cryptocurrency mining malware

There are thousands of publicly accessible FTP server, including the Seagate network-attached storage drives, are found to have been under the control of cyber hackers who now get hold of the cryptocurrency mining malware.

PC experts from security client Sophos discovered this problem when they tested a malcode dubbed Mal/Miner-C, which is capable to take control of a Windows computer and hack their CPUs and GPUs to generate Monero, a type of bitcoin-inspired cryptocurrency.

With most cryptocurrencies, users can generate new units by making use of their resources to fix complicated math problems needed to validate transactions in the network. This process which is name as “mining”, offers an incentive to cyber hackers in order to take over other people’s computers.

Bitcoin mining malware spreads throughout the cyber space for several years, but because of the development of cryptocurrency’s network, it is more difficult to carry out mining technology and take use of personal computers, which contain not enough computer resources, stopped being profitable. Some malware developers, like those behind Mal/Miner-C, have already focused on the new generation of cryptocurrencies, like Monero, which seems to be more easier than mine.

The experts from Sophos discovered that Mal/Miner-C actually has no automatic infection mechanism and instead depends on users to take advantage of the malcode.

Cyber attackers make a scan for the FTP server that can be accessed through the Internet and try to enter the system with weak credentials or anonymous accounts. If this succeeds, they will make sure that they have got access to the server and copy the malware in all of the available directories.

This can explain why Sophos has to count more than 1.7 million Mal/Miner-C detections over the past six months from about 3,000 systems. Most of the compromised computer systems were FTP servers which contain multiple copies of the malware in different directories.

The experts applied an internet scanning engine named Censys to identify whether the public FTP servers can allow anonymous access with write privileges. They have found 7,263 such servers and discovered that 5,137 of them had been infested by Mal/Miner-C.

Another discovery was that there are many of those FTP servers were with Seagate Central NAS devices. While this malicious program doesn’t especially target on such devices, it still turns out that Seagate Central’s configuration makes it easier for users to get the insecure FTP servers exposed to the cyber space.

The Sophos PC experts said in a paper released Friday that the Seagate Central NAS system offers a public folder for sharing information by default. This public folder couldn’t be terminated and if the administrator of the device allows remote access to the device, it can be accessed by anyone on the cyber space, they said.

The FTP servers that are under the control of Mal/Miner-C contain two files, is named Photo.scr and Photo.scr seems to be a Windows executable file, but its icon pretends to be a legit Windows folder to deceive innocent users in accidentally executing it.


No comments yet.

Leave a Reply