With the growing need for efficient file handling and backup storage, Network Attached Storage (NAS) has emerged as a widely adopted solution. However, this increased usage has also brought attention to significant security issues surrounding NAS, particularly concerning popular products like QNAP and Synology.
Besides the vulnerabilities identified with CVE ID, NAS systems also face a significant risk where critical data is left exposed to the internet without adequate defense mechanisms. This leaves them susceptible to simple attacks that employ random key combinations and potential passwords to gain unauthorized access to user accounts.d to the internet defenselessly, making it easy to be leaked by simple attacks that randomly test key combinations and potential passwords to log into a user’s account.
In addition to concerns surrounding commercial NAS software, there has been a notable rise in issues related to free and open-source NAS software, including the HFS HTTP File Server. This software has gained popularity among individuals and small enterprises due to its user-friendly features, such as easy installation, drag-and-drop file uploading, and the ability to share files externally via URL. The image below displays the HFS HTTP File Server in operation.

Screenshot of an HFS HTTP File Server in operation
Over 1,500 HFS HTTP File Servers Exposed Worldwide
The HFS HTTP File Server presents a severe vulnerability compared to products like Synology or QNAP, as it does not require any authentication by default. This means that all files stored on the server are readily accessible and downloadable to the public, posing a significant risk of data leakage. To illustrate the extent of this issue, a search conducted on Criminal IP using HFS port 8080 revealed that over 1,500 servers were externally exposed at the time of writing.

Criminal IP search results for globally exposed HFS servers using the keyword “HFS port:8080”
Furthermore, it is evident that many files, including Windows and MKV files, were exposed without any form of protection or encryption on numerous servers.

Exposed HFS file server detected on Criminal IP

Exposed HFS file server detected on Criminal IP
Exposed HFS Servers Exploited as Malware Distribution Points
What makes this ongoing HFS server exposure more serious is that it could be used as a malicious code distribution site. These exposed HFS HTTP File Server can allow threat actors to hijack ownership of servers and inject malicious codes.
Exploitware Labs discovered malicious code, avp.exe, and a webshell, api.aspx, on a Chinese HFS HTTP File Server. Despite being identified as malicious by nine antivirus programs on VirusTotal, it remains undetected in several countries, including South Korea. (Since this became known, servers distributing malicious code in China have either been shut down or require login authentication.)

Malicious code called avp.exe and a web shell called api.aspx were found on a Chinese HFS HTTP file server

VirusTotal diagnosis of the malicious code avp.exe and webshell file api.aspx
How to Search Exposed HFS HTTP File Server on Criminal IP
In addition to the HFS HTTP File Servers that use port 8080, you can also find HFS servers using different ports by utilizing the favicon filter of Criminal IP. You have two options to search for different types of HFS HTTP File Servers: hover over the HFS server’s favicon and click on the popup menu for search, or you can directly enter the keyword “favicon: 7ea0af85” into Asset Search. Both methods allow you to discover various forms of HFS servers.

Search results for exposed HFS HTTP File Servers on Criminal IP

Search results for exposed HFS HTTP File Servers on Criminal IP
If you want to search only the Chinese HFS HTTP File Server, you can add country:CN in the filter.
Using the same procedures, you can search for exposed HFS HTTP File Server in various ways using abundant filters, as shown below.
You can utilize the country filter to search for data specifically from other countries of your choice.
Check Your File Servers for Cyber Threats
This issue affects not only HFS servers but also other widely used NAS or file servers. Therefore, it is crucial for businesses and individuals to regularly assess the exposure of their file servers without authentication and ensure server safety against potential cyber threats.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]
Reference: ExploitWareLabs
[…] favicon filter can be used in many more cases as well. We have posted a blog about using the favicon filter to search for HFS HTTP File Servers exposed to attack surfaces before, so check it out to learn more about filter […]