In addition to its vulnerabilities with CVE ID, critical NAS data is exposed to the internet defenselessly, making it easy to be leaked by simple attacks that randomly test key combinations and potential passwords to log into a user’s account.
Apart from the commercial NAS software, issues with free and open-source NAS software have been increasing recently as well, HFS HTTP File Server being the case. With its features like installing with a few clicks, uploading files with drag and drop, sharing files externally through URL, the HFS HTTP File Server has become a common software for individuals as well as small enterprises. The image below shows HFS HTTP File Server when running.
Over 1,500 Exposed HFS HTTP File Servers Exposed Worldwide
The fatal problem with the HFS HTTP File Sever is that unlike Synology or QNAP, it does not require any authentication in the default state. What this implies is that in this case, all of the files stored in the server are accessible and downloadable to the public which could lead to data leakage. Below is the result of globally exposed HFS severs after searching HFS port:8080 on Criminal IP. At the time of writing we can see that over 1,500 servers were exposed externally.
As well, we can see that myriad of files like Windows and mkv files were exposed without any protection or encryption on numerous servers.
Exposed HFS HTTP File Server, a Source for Malicious Code Distribution
What makes this ongoing HFS server exposure more serious is that it could be used as a malicious code distribution site. These exposed HFS HTTP File Server can allow threat actors to hijack ownership of servers and inject malicious codes.
Threat actors attack the server and pass off files that contain malicious codes as legitimate. When users access another hacking site or click the phishing email URL, the hacker redirects the users to the hacked server and tricks them to download malicious files.
According to Exploitware Labs, a malicious code avp.exe and a web shell api.aspx were found on a Chinese HFS HTTP File Server. Even though the file was diagnosed as malicious in nine vaccines through VirusTotal, it is still undetected in several countries, including South Korea. (As this fact is known, all servers that distribute malicious code in China are closed or now require login authentication.)
How to Search Exposed HFS HTTP File Server on Criminal IP
Using favicon filtering feature of Criminal IP’s Asset Search, not only you can find HFS HTTP File Server that uses 8080 ports but others as well. You can find different types of HFS HTTP File Server by clicking on a pop-up related to favicon in search results or by typing the keyword “favicon: 7ea0af85” directly into Asset Search.
If you want to search only the Chinese HFS HTTP File Server, you can add country:CN in the filter.
Using the same procedures, you can search for exposed HFS HTTP File Server in various ways using abundant filters, as shown below.
You can use the country filter to search for data from other countries that you want.
Inspecting Cyber Threats on File Servers
This issue does not only troubles HFS servers, but also to other widely used NAS or file servers. Businesses or individuals should periodically check if one’s file server is exposed without any authentication and ensure server safety from potential cyber threats.
This article is written by drawing on data from Criminal IP, a cyber threat Intelligence search engine. Create free Criminal IP beta service account today to see the search results cited in the report and search more extensive threat Intelligence.