Malware Infects 70% of Seagate Central NAS Drives, Earns $86,400

An anonymous Slashdot reader writes: A new malware family has infected over 70% of all Seagate Central NAS devices connected to the Internet. The malware, named Miner-C or PhotoMiner, uses these hard-drives as an intermediary point to infect connected PCs and install software that mines for the Monero cryptocurrency... The crooks made over $86,000 from Monero mining so far.

The hard drives are easy to infect because Seagate does not allow users to delete or deactivate a certain "shared" folder when the device is exposed to the Internet. Over 5,000 Seagate Central NAS devices are currently infected.
Researchers estimates the malware is now responsible for 2.5% of all mining activity for the Monero cryptocurrency, according to the article. "The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place."

Silly Suits

[Tablizer]

Put an un-updatable OS on a harddrive, Brilliant!

Re: Silly Suits

There's a culture of insecurity at Seagate's NAS unit.

Some years ago, we (not a security or IT firm) reported some issues with their web interface. Basically there was a public (no authentication needed) PHP script in the directory used to serve the web admin interface which ran arbitrary commands from the URI as wheel. That could be used to reset the admin password, load and run arbitrary code, load an entire hostile OS for the NAS, etc.

Support didn't understand the issue, and security ignored it as being too difficult to exploit in practice. We soon pointed out to Seagate and some friendly media that there were hundreds of these exploitable Seagate NAS boxes indexed on Google, including Organizations working in charitable and vulnerable sectors, and that we would be contacting Seagate's customers about the issue.

They still didn't admit that there was an issue, but their next 'firmware' update addresses the issue by requiring a password to run arbitraty commands from the URI. The passwors was the same for all devices and was stored in a plaintext file in the same publicly accessible directory.

We stopped using Seagate products altogether after that experience.

That's not even the worst part

[damn_registrars]

The worst part of the story is that the HDD is made by Seagate and won't last more than 13 months regardless. The users think they bought a good network drive, until they go to retrieve their files and discover the drive has already bought the farm.

Re: That's not even the worst part

[BenJeremy]

An improved turd is still a turd. Not trusting Seagate... they once had a good reputation, then they bought Maxtor and apparently ditched all the Seagate side of the drive engineering and manufacturing in favor of Maxtor, because that was the exact moment their products went to complete shit.

I have purchased quite a few Seagate drives in the past 6 years, and all of them are now dead - most before they were online for 3 years. The first couple I figured were flukes... and there were always decent deals on Seagate externals; but no deal is worth it, not with these crap drives.

Re: That's not even the worst part

[hairyfeet]

Well the rumor that was going around on the builders forums at the time (they even had lists of serials to tell the difference between "Seagate" drives and "Maxgate" drives) is that when Seagate bought Maxtor they got a REALLY cheap ARM HDD controller from Maxtor...how cheap? So cheap they could build 4 of them for the price of a single Seagate controller. Now what company wouldn't want to drop the price on a major part by 75%?

The catch was this controller is buggy as fuck, especially if it gets hot. If you keep the drive super cool? It works fine, if the drive gets hot? It loses its little mind and forgets the HDD geometry and will slam the head because it doesn't know where the drive starts and ends. My own tests seem to back this up as I've had zero issues with Maxgate drives I put in a big old ATX case I have at the shop with a couple of 240mm fans front and back to push away any heat generated but if I put a Maxgate into a small PC box without a ton of fans? Its gonna fail, and the hotter the case the quicker the fail.

Re:That's not even the worst part

[Solandri]

Most of Seagate's poor reputation is due to a couple bad drive models from around 2010. Their current lineup has above-average reliability (WD's is worse).

I've actually been steering people away from WD drives lately. They've started adding very aggressive head parking timeouts to their firmware. So far, I know all their laptop drives and their 3.5" green drives are affected. I'm starting to suspect their 3.5" blue drives are as well. The drive's built-in firmware will park the heads after about 10 seconds of inactivity. Windows seems to consider pagefile access to be critical priority. So if you have a pagefile on the drive and it parks the heads, the next time Windows tries to access the pagefile the entire OS will freeze for a fraction of a second as it waits for the heads to unpark. I've helped "fix" dozens of cases of microstuttering in games caused by this. (Move the pagefile off the drive, or disable the drive's APM if it's your only drive.)

BUILD your own NAS

[stikves]

It is not difficult to setup http://www.freenas.org/ on a small server machine, and benefit from FreeBSD security with no (known) backdoor accounts. If you're really serious get a proper NAS motherboard with ECC RAM (if you're not using ECC RAM, then it means you're not very serious with your data anyways), which won't cost you more than $500 with the case and the PSU.

Of course if you're unable or unwilling to secure your box, accept that anything on the Internet is wide open, and buy (rent) online storage from Amazon, Box, or somewhere similar. Amazon gives free unlimited backup account with prime (which is around $99)

Re:BUILD your own NAS

[jtmach]

Amazon gives free unlimited backup account with prime (which is around $99)

I checked on this because I it sounded too good. Here's what I found.

Your Amazon Prime membership comes with Amazon Prime Photos, unlimited photo storage and 5 GB for videos, music, and other files.

Unlimited backup of any files is $60 a year.

Re:Really?

[damn_registrars]

Once again, exposing various things directly to the Internet is a Bad Thing.

Indeed it is, but it likely isn't really exposed "directly to the Internet". More likely it runs some service through a Seagate server that makes it available (likely by default, no less). After all, this is designed for home users and how many home users even would know how to modify their router's default rules to expose a specific port on a specific system to the internet?

claiming device owners "have no way to protect their device" is bullshit.

Well, if the first thing it does out of the box is call home to Seagate to give owners remote access to their files through the magical Seagate cloud, then the statement might be pretty darned accurate. These drives most likely default to getting addresses by DHCP on the user's network, and the user most likely gets their outside address by DHCP from their ISP. These hackers likely aren't finding these drives to be exposed directly, but rather to be exposed via Seagate. And considering the (lack of) quality that is Seagate these days, the drives probably have some terrible default password as well that makes it trivially easy for a hacker to get in.

Re:Funny how Slashdot users are okay with criminal

[Tablizer]

The criminals are in shady and desperate corners of the world and it's unlikely we can do much about them. Control what you can control; though, and don't do known risky things.

Re: Really?

This.

I have one of these devices. The first thing that must be done is to create an account on thw Seagate server. All account creation and password changes go through their server.

The devicw itself is utter crap. Linux OS with an NTFS formatted. The transfer speed using ethernet is comparable to dialup.

Stay away from anything Seagate / NAS. Waste of money.

Re:IoT

sed s/"IoT//g

Any device, be it IoT, a client, server, network device, or anything has this problem. In my experience, security is perceived to have no ROI, so at best it gets lip service, at worse, it is obviously ignored. I have seen "encryption" where all zeroes were used as AES keys for all operations, 4096 bit keys that were really sixty-four, 64-bit RSA keys (really giving 70 bits of security), tons of added stuff, no OS firewalling, disinterest in any updates, locking down firmware where no updates can be performed (this is extremely routine, because it adds planned obsolesce, and companies have zero responsibility to provide them, even if there is a major, show-stopper bug.)

The best device on the Internet is no device. Next to that, it is having devices placed between hardened firewalls, only communicating to a few machines, real secure mechanisms for updates [1], and so on. Ideally devices should communicate to a hardened hub, and the hub handles everything else.

[1]: Back in the 1990s, RSA was not prevelant, so motherboard makers actually had to use real security. No motherboard flashing could be done until a physical switch was flipped. This may not be possible for all devices, but it should be considered part of the flashing process, to stop rogue firmware "upgrades."

Re:Really?

[arth1]

Claiming they lose the ability to access the device from a remote location if they turn off the remote access feature is also bullshit. Just VPN in, or enable read-only FTP, or any of a number of other different options.

Re:Funny how Slashdot users are okay with criminal

[mlts]

The criminals are virtually untouchable:

1: They are likely in countries of the world that have zero interest in turning them over for justice. In fact, they may be regarded as folk heroes or equivalents of Robin Hood, taking money from corporations or countries and bringing it to the region.

2: They are likely using employees to do the dirty work, with plenty of anonymity between them and the higher ups.

3: Malware can be traced, and a lot of people suggest origin, but code can be edited and spread anywhere in the world, so code that originally came from Latveria can be used and abused by people from Lower Elbonia, and if distribution is done, the whitehats may never know the real origin.

4: Compromising an endpoint isn't too difficult these days. If someone hacks a wi-fi router and compromises a home computer, all it takes is deleting the offending stuff securely, and that becomes a dead end.

5: For every one criminal, there are others behind them.

6: LEOs have many cases on their hands. It might be doubtful they may have the resources to handle anything but the big names, so chasing after every bad guy would be about as fruitful as chasing every pot smoker in the US.

Going after criminals is nice, but that is a game of whack-a-mole. Unfortunately, computer security is a defensive war, but there are useful tools on the whitehat end which can help mitigate attacks.

Long term, it may not be something is wanted in any shape or form, but I think what may end up happening is that countries themselves will demand control of the routers that go from one nation to another and enforce rules there. China has that, Iran is building it, and other countries are looking into blocking at their virtual borders, just like physical borders. It might be a token thing now, but as time goes on and money is put into it, it may become something all countries have in place, just so another country that has IP ranges that are hotspots for attack are blocked there, so every single Internet entity in the nation wouldn't have to deal with them.

Re:IoT

[the_Bionic_lemming]

back into the 1990's there was pretty much no worries about security.

And the motherboards didn't have anything baked into them because of hackers.

There were no switches. Unless you are talking about the jumpers so you should of said jumpers to actually prove what you were talking about. There were no internet based hacks that required jumper use to repair in the 1990's.

Re:IoT

[shione]

"Because Windows has a bad habit of hiding file extensions, whenever the device owner accesses their NAS, they see this file as a folder, fooled by the fake icon." - http://news.softpedia.com/news...

So part of the problem is windows too. Hiding file extensions and allowing scripts to be run without confirmation. That's the same rubbish which made macro viruses so rampant in msoffice formats.

Laws

[bestweasel]

Are there no laws to force electronic manufacturers to fix these devices, in the same way that other manufacturers are forced to fix faults? Cyber security is supposed to be really important now with important people forming important committees and yet insecure devices are being sold, not fixed and not recalled even after manufacturers have been informed of their failings.

It seems rather lopsided when a hacker is sent to jail for poking holes in an insecure voting website but Seagate can just throw their hands in the air and say, hey, these thousands of devices are nothing to do with us now. How many compromised devices are funding terrorism and other criminal activity? Maybe ISIS are mining these coins.

Re:IoT

I like my ASRock motherboards, there is a physical switch that makes it boot up from the primary bios or the backup bios. Overwriting the Backup requires intentionally telling the Bios to overwrite the backup. You can flip the switch and make it boot from the backup and it can overrite the primary. You can't screw this up.

Also you can't flash the bios in Windows 10. You can however tell the bios to update the bios over the internet.

Now, why this is relevant. I had a Gigabyte motherboard last time around, it flashed itself to death. Because of issues with the CPU it would occasionally boot up and malfunction, and try to recover by copying the backup to the primary and rebooting. This happened enough times that it eventually bricked itself.

But you're right, the correct mechanism is to make it so that the BIOS/Firmware on a hardware product has a mechanical switch thrown to enable this. I've bricked 2 WRT54G's due to bad firmware, and they could have been salvaged if they had a backup firmware that could be switched to. Certain devices are more susceptible to being damaged, with wireless routers being at the top of the list. All those need to be overwritten is for a rogue access client to tell it to reboot and accept a TFTP firmware most of the time. When I first moved to this city, I found open wireless access points with no password set on the admin panel, I told those devices to update the firmware and then logged back in, set an admin password, then wiped the access log. This was more than 12 years ago.

More to the point however, IPv6 is supposed to give every device a real world ip address, no more NAT bullshit. Unfortunately IoT devices are often setup with no security because otherwise they can't be setup at all.

This reminds me of back in the early days of cable modems before routers were standard, If you connected a Windows XP machine to a cable modem, you were infected with malware within minutes. Not enough time to download any patches. Even with Windows 95 and 98 (remember "back oriface" ?) the kiddies were getting any machine connected to the same ISP infected, or bumping users off that they didn't like, stealing their passwords and so forth.

It's like nobody wanted to learn anything from 20 years ago with this "assume some idiot is going to plug this device right into an internet-facing device" problem that was pretty much everywhere.

For IoT things, the best thing to do is have two firmwares, (oh but that costs a few more pennies) one to boot if DHCP reveals a non-routable ip address (eg 192.168.x.x) and one to boot if ipv4 or ipv6 show routable ip addresses, with the latter making sure that it doesn't have "default" settings like admin/password accounts setup.

Is it worth of it ?!?

[ctrl-alt-canc]

I was considering that, after all, they earned (ahem...) up to now "only" 86,400 USD. To do this probably more than one people was involved, so halving as a mininmum the income for each person taking part to the dirty work. Since by doing this these people demonstrated some good programming and organizing skills, why didn't they put their skills for good use working as a consultant or starting a software company ? I know, you have to deal with IRS, balances, maybe PHBs, and all the bureaucracy that affects good companies. On the other side, if you get caught your work is rapidly destroyed, and if identified you get a fine, maybe some jail or probation time, and you are known forever as a bad guy. Is it really worth of it ?