Thousands of Seagate NAS boxes host cryptocurrency mining malware

If configured for remote access, the devices expose a writable FTP directory to the Internet that attackers can abuse

Thousands of publicly accessible FTP servers, including many from Seagate network-attached storage devices, are being used by criminals to host cryptocurrency mining malware.

Researchers from security vendor Sophos made the discovery when they investigated a malicious program dubbed Mal/Miner-C, which infects Windows computers and hijacks their CPUs and GPUs to generate Monero, a bitcoin-inspired cryptocurrency.

With most cryptocurrencies, users can generate new units by devoting their computing resources to solving complex math problems needed to validate transactions in the network. This process, known as "mining," provides an incentive for attackers to hijack other people's computers and use them for their own gain.

Bitcoin mining malware used to be widespread some years ago, but as the cryptocurrency's network grew, mining became more difficult and using personal computers, which have limited computing resources, stopped being profitable. Some malware writers, like those behind Mal/Miner-C, have now turned their attention to newer cryptocurrencies, like Monero, that are easier to mine.

The Sophos researchers found that Mal/Miner-C does not have an automatic infection mechanism and instead relies on users to execute the malicious program. As such, it is distributed via downloads through compromised websites, but also through open FTP servers.

Attackers scan for FTP servers that are accessible from the internet and attempt to log in with default and weak credentials or with anonymous accounts. If successful, they verify that they have write access on the server and copy the malware in all of the available directories.

This explains why Sophos counted more than 1.7 million Mal/Miner-C detections over the past six months from about 3,000 systems. Most of the affected systems were FTP servers that hosted multiple copies of the malware in different directories.

The researchers used an internet scanning engine called Censys to identify public FTP servers that allow anonymous access with write privileges. They found 7,263 such servers and determined that 5,137 of them had been contaminated with Mal/Miner-C.

Another interesting discovery was that many of those FTP servers were running on Seagate Central NAS devices. While this malware threat does not specifically target such devices, it turns out that Seagate Central's configuration makes it easier for users to expose insecure FTP servers to the Internet.

By default, the Seagate Central NAS system provides a public folder for sharing data, the Sophos researchers said in a paper published Friday. This public folder cannot be disabled and if the device administrator enables remote access to the device, it will become accessible to anyone on the Internet, they said.

FTP servers that have been compromised by Mal/Miner-C contain two files, called Photo.scr and Photo.scr is a Windows executable file, but its icon masquerades as that of a Windows folder to trick users into accidentally executing it.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags nascrypto currenciesBitcoin

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?