Hackers hit Seagate NAS devices with cryptomining malware

Thousands of Seagate Central NAS devices have been found to harbour crypto-currency mining software known as Miner-C.

According to researchers at Sophos, the malware doesn't infect the NAS drives but instead uses them as a repository to infect other devices.

The attack is not specific to the Seagate Central device but hackers have used a particular security vulnerability on these devices to plant the malware bait and estimate that 70 percent of devices worldwide are infected.

The malware has been around since June but is now targeting Seagate Central devices, putting a copy of itself onto publicly accessible folders. The NAS devices contain a public folder that is accessible to all, even anonymous users. The folder also can't be deleted or deactivated.

Hackers copy a file called Photo.scr, which has been disguised to appear as a standard Windows folder icon. When clicked, this then installs a cryptocurrency mining application on a target PC. The malware doesn't run on the NAS itself.

The malware then uses the target PC to mine a crypto-currency called Monero. The virus also has a modular framework and has a distinctive way of loading its configuration file.

“Since it generates a new initialization file when it is launched, it helps the malware avoid security solutions. It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim's machine after the mining business is no longer profitable," said Attila Marosi, a senior threat researcher at Sophos in a blog post.

Miner-C uses misconfigured FTP servers on Seagate Central devices to spread. The researchers found 7263 Seagate Central devices which were acting as active servers with write access enabled – and 70 percent, or 5137 devices, were infected.

In total, hackers have managed to make the equivalent of €76,000 (£64,000) thanks to the malware. Marosi said that the criminals may have chosen Monero as Bitcoin has become progressively harder to mine than newer crypto-currencies on the block.

Jonathan Sander, VP of Product Strategy at Lieberman Software, told that Seagate NAS devices may not have been as secure as some others, but “Are we sure people were applying the firmware updates from the manufacturer that may have helped?”

“Did they change the default password that came with the device? If they are like most people, then we know they didn't because most people aren't proactive about security – especially on the consumer level. There may be blame for the manufacturer, but we better be very careful of our glass walls as we hurl our poor security accusation rocks at others,” he said.

Gavin Millard, EMEA technical director at Tenable Network Security, told SC what is particularly fascinating about the malware is the ease it can upload its payload via the public share and display a “photos” folder a user would click without taking a second glance.

“Once clicked, the malware will install on the target system and start mining for crypto-currency, earning a small profit for cyber-criminals,” he said.

Robert Page, lead penetration tester at Redscan, told SC that default account credentials such as ‘Admin' and ‘Guest' in embedded devices are common and users should be careful to check for the existence of such accounts before deploying a device on their network.  

“Users of Seagate devices, in particular, should exercise caution by disabling remote access to their device from the internet and avoid clicking on any unknown or suspicious zip files such as Photo.scr and,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.