UPDATE October 3, 2014: QNAP has issued patches for the Bash vulnerability, you can download them over here.
IT World writes hackers are using the "Shellshock" Bash vulnerability to gain access to QNAP NAS devices in universities in the US, Japan and Korea. All QNAP network-attached storage devices are vulnerable to CVE-2014-6271, one of the six recently discovered security flaws in the GNU Bash. Security firm FireEye writes hackers are targeting NAS devices because these would be desirable targets that can contain sensitive, interesting or valuable information. In related news, it was also discovered earlier this week that OpenVPN servers are vulnerable to Shellshock, under certain configurations. Due to the broad scope of the vulnerability, it's expected that many more attacks will follow.
The attackers were taking advantage of a publicly disclosed security weakness in which the web servers embedded in the devices manufactured by QNAP have administrative privileges by default, researchers for FireEye said Wednesday.
Once attackers compromise the server and get these privileges, they have full control of the device.
"They (QNAP) acknowledged this particular vulnerability on their website," Josh Gomez, security researcher at FireEye, said.
Knowing the vulnerability existed; the attackers scanned the devices for Shellshock and downloaded malware using autostart script provided by the manufacturer, James Bennett, threat researcher for FireEye, said. The script is used to have programs start automatically.