Shellshock Attacks Hit Major NAS Kit; IoT Next?

Security experts are warning that businesses running Internet of Things (IoT) devices could be next in the firing line after discovering what they claim to be the first Bash bug attack aimed at Network Attached Storage systems.

FireEye threat researchers James Bennett and J Gomez claimed they spotted attacks attempting to exploit the Bash remote code injection vulnerability against targets in Japan and Korea, and one in the US.

The attacks gave the hackers a root level remote shell, effectively giving them full access to the contents of the NAS, they said in a blog post.

“NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage,” they added.

“This makes an NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”

The attacks in question were launched against popular NAS maker QNAP, which makes personal and business network storage and video surveillance systems for a wide variety of industries.

The firm said in an update that it had now released a patch to fix the issue.

However, the attack could mean other embedded Linux OS devices left unpatched are next in line for the Shellshock hackers, FireEye warned.

“Based on the sheer number of devices which run an embedded Linux OS and the time-to-patch window, we feel the potential for widescale compromise of network-connected personal and business data storage systems is very high at this time,” Bennett and Gomez added.

“As many smart- or connected-devices utilize similar set-ups, this represents one of the first in the wild Shellshock attack against IoT-type devices.”

The Bash bug or Shellshock vulnerability rocked the information security world when it went public last week.

Soon after it was disclosed, security vendors began reporting various attacks in the wild exploiting the vulnerability, resulting in DDoS attacks, malware droppers, data exfiltration, backdoors and more.

It had been claimed that Shellshock may not be as serious as Heartbleed in that there may be complex and varied exploitation paths for each application, making it less attractive and more time consuming for hackers to develop specific exploits.

What’s Hot on Infosecurity Magazine?