Hello, welcome to the Wednesday, November 28, 2018 edition of the Sansa and at Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier today is taking a look at an obfuscated bash script that a reader found on a compromised Q QNAP storage device. These type of storage devices

are always in the crosshairs of attackers because typically there's quite a bit of data on them,

also some reasonable processing power for crypto coin mining. And then of course they tend to be

one of these devices that are often forgotten when it comes to patching.

Also not necessarily that easy to patch because you have to reboot the device, which then breaks any links of any shared files or so that may be in use on the device.

Now one thing that makes this script a little bit special is that it's actually obfuscated.

In many cases, scripts copied to these devices are not obfuscated.

So reverse analysis is usually not all that difficult.

Now, in the end, what this particular script is doing is pretty standard.

It's setting up back doors.

It's also setting up a backdoor admin account and then does some brute forcing.

Not 100% clear how this particular script ended up on the device as in what vulnerability

was used to copy it, but often it's just a simple as H password

or a vulnerability in one of the many web applications that are typically running on these

devices. Over the last couple years, systems like Let's Encrypt have substantially lowered the bar needed to get

an HTTP website.

And of course, that not only made it easier for the good guys to set up HDPS, but also

for the bad guys.

So it's not only the majority of good websites that are taking advantage of, HTTP, but also about half of fishing sites

according to Fish Labs are now taking advantage of HTTP.

...