NAS has become an increasingly common way to handle files and backup storage. As usage increases, NAS security issues, particularly with QNAP and Synology products, are frequently spotted.

In addition to its vulnerabilities with CVE ID, critical NAS data is exposed to the internet defenselessly, making it easy to be leaked by simple attacks that randomly test key combinations and potential passwords to log into a user’s account.

Apart from the commercial NAS software, issues with free and open-source NAS software have been increasing recently as well, HFS HTTP File Server being the case. With its features like installing with a few clicks, uploading files with drag and drop, sharing files externally through URL, the HFS HTTP File Server has become a common software for individuals as well as small enterprises. The image below shows HFS HTTP File Server when running.

Screenshot of when a HFS HTTP File Server is running

 

Over 1,500 Exposed HFS HTTP File Servers Exposed Worldwide

The fatal problem with the HFS HTTP File Sever is that unlike Synology or QNAP, it does not require any authentication in the default state. What this implies is that in this case, all of the files stored in the server are accessible and downloadable to the public which could lead to data leakage. Below is the result of globally exposed HFS severs after searching HFS port:8080 on Criminal IP. At the time of writing we can see that over 1,500 servers were exposed externally.

Criminal IP search results for HFS servers exposed globally using the keyword “HFS port:8080”

As well, we can see that myriad of files like Windows and mkv files were exposed without any protection or encryption on numerous servers.

Criminal IP search results for HFS File servers exposed externally

Criminal IP search results for HFS File servers exposed to the outside world

Exposed HFS HTTP File Server, a Source for Malicious Code Distribution

What makes this ongoing HFS server exposure more serious is that it could be used as a malicious code distribution site. These exposed HFS HTTP File Server can allow threat actors to hijack ownership of servers and inject malicious codes.

Threat actors attack the server and pass off files that contain malicious codes as legitimate. When users access another hacking site or click the phishing email URL, the hacker redirects the users to the hacked server and tricks them to download malicious files. 

According to Exploitware Labs, a malicious code avp.exe and a web shell api.aspx were found on a Chinese HFS HTTP File Server. Even though the file was diagnosed as malicious in nine vaccines through VirusTotal, it is still undetected in several countries, including South Korea. (As this fact is known, all servers that distribute malicious code in China are closed or now require login authentication.)

Malicious code called avp.exe and a web shell called api.aspx were found on a Chinese HFS HTTP file server

avp.exe and api.aspx files diagnosed using VirusTotal

 

How to Search Exposed HFS HTTP File Server on Criminal IP

Using favicon filtering feature of Criminal IP’s Asset Search, not only you can find HFS HTTP File Server that uses 8080 ports but others as well. You can find different types of HFS HTTP File Server by clicking on a pop-up related to favicon in search results or by typing the keyword “favicon: 7ea0af85” directly into Asset Search.

Search results for exposed HFS HTTP File Servers on Criminal IP

Search results for exposed HFS HTTP File Servers on Criminal IP

If you want to search only the Chinese HFS HTTP File Server, you can add country:CN in the filter.

Using the same procedures, you can search for exposed HFS HTTP File Server in various ways using abundant filters, as shown below.

You can use the country filter to search for data from other countries that you want.

Inspecting Cyber Threats on File Servers

This issue does not only troubles HFS servers, but also to other widely used NAS or file servers. Businesses or individuals should periodically check if one’s file server is exposed without any authentication and ensure server safety from potential cyber threats.

 


This article is written by drawing on data from Criminal IP, a cyber threat Intelligence search engine. Create free Criminal IP beta service account today to see the search results cited in the report and search more extensive threat Intelligence.

Reference: ExploitWareLabs