No fewer than 70 percent of internet-connected Seagate NAS hard drives have been compromised by a single malware program. That’s a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.
I’m surprised this story hasn’t garnered more attention. Perhaps it’s because we’re talking only 7,000 hard drives possibly in total, or perhaps it’s because the mainstream media doesn’t understand what NAS means. Either way, it has colossal implications. Apparently, storage admins:
- Aren’t very diligent about scanning for malware
- Fail to change default NAS passwords
- Allow direct connections to their huge network storage arrays without another authentication requirement
- Put their companies at risk of attack by malicious intruders
More to the point, this attack means that over the last 13 years we’ve learned nothing. We are no more prepared for a bad malware outbreak than before. We’re lucky that Miner-C program is only a bitcoin miner. It’s bad. It’s unethical. It’s illegal. But it’s not intentionally killing data and bringing down businesses.
Unfortunately, the minimal effort expended by Miner-C attackers to break into Seagate NAS software is identical to that needed by those wielding a highly malicious program. In fact, hackers reading about this particular attack could use the exact same tricks to bring those companies down. Ransomware, anyone?
If I were a ransomware maker and read that many of the world’s hard drives were unprotected, including those at large companies, the first thing I’d do is recode my ransomware to take advantage of it.
Of course, anyone who falls victim to ransomware should be able to restore the data from the latest known good backup and call it a day without paying the ransom -- except that, uh-oh, even corporations often lack good backups. If they can’t prevent malware from infecting hard drives, are we supposed to believe they actually have good backups?
It doesn’t stop with Seagate NAS
When you see a major instance of any type of vendor-specific exploitation, one of the first questions to ask is how many other similar products could be impacted. News of this Seagate hack didn’t alarm me because 70 percent of 7,000 Seagate hard drives were involved -- it was the realization that many other hard drives arrays have the same issues. They're connected to the internet, allow remote connections, come with default passwords, and so on.
Even “little data” needs to be concerned. A lot of small businesses are eating up “consumer level” NAS devices that have the same feature sets. The customer plugs them in and forgets they connect to the internet and have default passwords that need to be changed. They have no idea that they are running little computers exposed to the internet. They will have no idea when those hard drive arrays become compromised -- until the attacker decides to do something more malicious than generate bitcoins with them.
Besides, we’re really talking about much more than storage arrays. We’re talking every internet-connected device running an embedded computer. It’s the internet of things, wireless routers, security cameras, and more. Most of these items run unpatched versions of insecure software -- software that would be very insecure even if fully patched -- accessible to the internet. I would venture to guess that a lot of us are unintentionally hosting massive bot net nodes because we really don’t know what’s running on those devices.
How to protect yourself
The list of how to protect your company from these sorts of threats simply reflects all the best practices you should have already been following, including:
- Install latest security patches, including latest firmware
- Change default passwords
- Don’t allow regular, unauthenticated connections from the internet
- Make sure you have regular, confirmed offline backups of all your critical data
- Plan ahead for how your company would respond if its data was deleted or held for ransom
Seagate NAS devices are canaries in the coalmine. What the Seagate story tells me is that the professionals who are supposed to be minding the store aren’t minding the store. If they aren’t doing what they should be doing, then the rest of the world -- whose primary job isn’t to provide safe and reliable data storage -- is faring far worse. I bet a 70 percent infection rate wouldn’t be the highest infection rate if we were to do a massive internet-connected inventory.
Whenever I look at today’s internet-connected world, I realize that the security problems and risks are far worse and far more pervasive than anything I could have predicted 10 years ago. We’ve not only failed to make our internet lives safer, we haven’t fixed any of the problems and behaviors we’ve known about for decades.