Hello and welcome to the Wednesday, May 1st, 2020, 4 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Came across yet another attack against NAS devices today. This time the target is Sychcel NAS 326. Interesting that this is a little bit

an older vulnerability. It was first described, including a proof of concept. Late last year,

I think it was November. And I haven't really seen any exploit attempts for this vulnerability so far,

but yes, we are seeing exploit attempts now.

So far just from one IP address and it's attempting to download then a script and run it.

Sadly, haven't been able yet to recover this particular script that is being

attempted to be uploaded here.

Could be that they only really make it accessible to IP addresses to which they just

attempted to upload the script too.

So there could be some firewall blocking going on there, or maybe we are a little bit too late here

since this started a couple days ago, and this malicious second stage was already removed.

And again, there's an older vulnerability, so hopefully you got their systems already patched

for this particular problem, actually. Two different problems that sort of contribute here to it.

The reason it sort of stuck out to me a little bit when I saw it was the odd URL

format, where it's slash CMD comma, and then the remainder of the URL.

It's a post request, and then the actual the actual payload looks like it's sort of trying to

install some kind of package here and then passing the standard command injection this

additional payload parameter. And if you ever talk to a data scientist, a lot of their work, in particular when it comes

to machine learning, of course these days AI, well, that is often done using the language

R.

...