Researchers reports on an in the wild exploitation of a vulnerability in QNAP NAS devices. This vulnerability was not publicly reported on prior to these findings. The vulnerability exploited exists in the CGI program used when users log out of the QNAP NAS device. By exploiting the vulnerability, attackers are able to gain unauthenticated remote code execution capabilities. In this campaign, the remote code execution capabilities are used to download a payload using wget. Based on current observations, the researchers have been unable to identify the ultimate goal of the attackers as further malware is not installed at this time. Two additional files were discovered on the server hosting the payload currently being downloaded. Specifically, they are two text files, one containing 2 lines of seemingly random text and the other being a bash reverse shell script. The server was found to be running SSH, Metasploit, Apache httpd, and other services.
Remote code execution