Thousands of Seagate Central network-attached storage (NAS) devices have been found hosting cryptocurrency mining malware called Miner-C which turns them into repositories to infect other devices. According to researchers at Sophos, the malicious software, which was first identified in June quietly infects victims' computers and allows a hacker to covertly mine a cryptocurrency called Monero.
Although the researchers note that the threat does not target the Seagate Central device specifically, the device does have a design flaw that allows an attacker to upload malicious files to any device enabled for remote file access. The Seagate Central devices include a publicly accessible folder which cannot be deleted or deactivated.
To carry out the breach, the attacker uses a file called Photo.scr, disguised to look like a standard Windows folder icon. However, when a user accidentally clicks on the malicious file, their system is infected with the Monero mining malware that uses misconfigured FTP servers on Seagate Central devices to spread.
"Since it generates a new initialisation file when it is launched, it helps the malware avoid security solutions," Attila Marosi, a senior threat researcher at Sophos, wrote. "It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim's machine after the mining business is no longer profitable."
In the first six month of 2016, the security firm has seen around 1.7 million Mal/Miner-C detections from around 3,000 different IP addresses. Marosi also noted that 2.1 million IP addresses were found to be actively hosting FTP servers of which 7,263 had write access enabled and 5,137 were contaminated with Mal/Miner-C.
As Bitcoin becomes increasingly harder to mine than newer cryptocurrencies, Marosi says cybercriminals have opted for other digitial currencies that are "new, profitable and significantly less difficult to mine" such as Monero. Marosi estimates that hackers have raked in around €76,000 (£64,000) using the malware.
"More than 70% of the servers where write access was enabled had already been found, visited and 'borrowed' by crooks looking for innocent-sounding repositories for their malware," Marosi wrote. "If you've ever assumed that you're too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organisations, this should convince you otherwise. Very bluntly put, if you're not part of the solution, you're very likely to become part of the problem."