Malware Infects 70% of Seagate Central NAS Drives, Earns $86,400

An anonymous Slashdot reader writes: A new malware family has infected over 70% of all Seagate Central NAS devices connected to the Internet. The malware, named Miner-C or PhotoMiner, uses these hard-drives as an intermediary point to infect connected PCs and install software that mines for the Monero cryptocurrency... The crooks made over $86,000 from Monero mining so far.

The hard drives are easy to infect because Seagate does not allow users to delete or deactivate a certain "shared" folder when the device is exposed to the Internet. Over 5,000 Seagate Central NAS devices are currently infected.
Researchers estimates the malware is now responsible for 2.5% of all mining activity for the Monero cryptocurrency, according to the article. "The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place."

BUILD your own NAS

[stikves]

It is not difficult to setup http://www.freenas.org/ on a small server machine, and benefit from FreeBSD security with no (known) backdoor accounts. If you're really serious get a proper NAS motherboard with ECC RAM (if you're not using ECC RAM, then it means you're not very serious with your data anyways), which won't cost you more than $500 with the case and the PSU.

Of course if you're unable or unwilling to secure your box, accept that anything on the Internet is wide open, and buy (rent) online storage from Amazon, Box, or somewhere similar. Amazon gives free unlimited backup account with prime (which is around $99)

Re:BUILD your own NAS

[jtmach]

Amazon gives free unlimited backup account with prime (which is around $99)

I checked on this because I it sounded too good. Here's what I found.

Your Amazon Prime membership comes with Amazon Prime Photos, unlimited photo storage and 5 GB for videos, music, and other files.

Unlimited backup of any files is $60 a year.

Re:Really?

[damn_registrars]

Once again, exposing various things directly to the Internet is a Bad Thing.

Indeed it is, but it likely isn't really exposed "directly to the Internet". More likely it runs some service through a Seagate server that makes it available (likely by default, no less). After all, this is designed for home users and how many home users even would know how to modify their router's default rules to expose a specific port on a specific system to the internet?

claiming device owners "have no way to protect their device" is bullshit.

Well, if the first thing it does out of the box is call home to Seagate to give owners remote access to their files through the magical Seagate cloud, then the statement might be pretty darned accurate. These drives most likely default to getting addresses by DHCP on the user's network, and the user most likely gets their outside address by DHCP from their ISP. These hackers likely aren't finding these drives to be exposed directly, but rather to be exposed via Seagate. And considering the (lack of) quality that is Seagate these days, the drives probably have some terrible default password as well that makes it trivially easy for a hacker to get in.

Re: Silly Suits

There's a culture of insecurity at Seagate's NAS unit.

Some years ago, we (not a security or IT firm) reported some issues with their web interface. Basically there was a public (no authentication needed) PHP script in the directory used to serve the web admin interface which ran arbitrary commands from the URI as wheel. That could be used to reset the admin password, load and run arbitrary code, load an entire hostile OS for the NAS, etc.

Support didn't understand the issue, and security ignored it as being too difficult to exploit in practice. We soon pointed out to Seagate and some friendly media that there were hundreds of these exploitable Seagate NAS boxes indexed on Google, including Organizations working in charitable and vulnerable sectors, and that we would be contacting Seagate's customers about the issue.

They still didn't admit that there was an issue, but their next 'firmware' update addresses the issue by requiring a password to run arbitraty commands from the URI. The passwors was the same for all devices and was stored in a plaintext file in the same publicly accessible directory.

We stopped using Seagate products altogether after that experience.