Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

New Wave of Data-Destroying Ransomware Attacks Hits QNAP NAS Devices (arstechnica.com) 23

Network hardware-maker QNAP is urging customers to update their network-attached storage devices immediately to protect them from a new wave of ongoing ransomware attacks that can destroy terabytes of data in a single stroke. From a report: Singapore-based QNAP said recently that it has identified a new campaign from a ransomware group known as DeadBolt. The attacks take aim at QNAP NAS devices that use a proprietary feature known as Photo Station. The advisory instructs customers to update their firmware, suggesting there is a vulnerability that's under exploit, but the company makes no explicit mention of a CVE designation that security professionals use to track such security flaws.
This discussion has been archived. No new comments can be posted.

New Wave of Data-Destroying Ransomware Attacks Hits QNAP NAS Devices

Comments Filter:
  • Hmmm, which one did it?
  • No CVE (Score:5, Interesting)

    by Fallen Kell ( 165468 ) on Wednesday September 07, 2022 @03:28PM (#62860525)

    suggesting there is a vulnerability that's under exploit, but the company makes no explicit mention of a CVE designation

    In other words, we are aware of the vulnerability (probably have been for a while), and didn't want to report it and make it official because we were not aware of any attacks to be able to exploit it deeming it too complex or low likely, and thought we could quietly fix it without letting the entire world know that we had such a flaw, but were caught with an active attack and now need to let people know of the issue....

    That probably sums it up better.

    • Caught with their pants down, and fumbling to get them back up.

    • Re:No CVE (Score:4, Informative)

      by coofercat ( 719737 ) on Thursday September 08, 2022 @10:05AM (#62863045) Homepage Journal

      QTS (Qnap's "OS") is a massive, massive product - it's got about a zillion features, apps, "stations" and "centers" in a confusing array of menus - all implemented as a windowing desktop (in a browser). The attack surface is therefore, pretty expansive. This rash of vulnerabilities won't end any time soon. Anyone with a qnap in any sort of public or semi-public setting probably wants to reconsider their architecture.

      FWIW, on mine, I've removed just about every "station" or other app that I don't desperately need - and still, there's an update waiting for me in the "update center" just about every time I log on to the thing. Like Microsoft, updates sometimes include a whole load of new functionality too, so I have to keep going in and cutting back the sprawl of apps I'll never use. Never buying another qnap - they're too much work.

  • QNAP even went so far off the deep end as to delete all the BIOS updates from thier downloads.... you can't even update your NAS BIOS/UEFI.

    I've been in a week long back and forth trying to get a BIOS update.. when previously it was a simple download.
  • by williamyf ( 227051 ) on Wednesday September 07, 2022 @03:40PM (#62860553)

    Many moons ago, long before I bought my first NAS in 2016 (DS1515+), Synology suffered a wave of hacker attacks.

    Their reaction was to hunker down, and improve/harden the security of all their SW stack. The most user visible fruits of that effort are the "Synology Antivirus Essential" and the "Synology Security Advisor"

    The Antivirus is configured by default to scan the NAS' urdenlying OS (Linux) for viruses and threats, is based on the FOSS ClamAV (there are other antivirus options). The security advisor reviews the configuration of the synology security-wise and points out any mistaked you may have made, along with ways to rectify them.

    That, coupled with a general hardening of their software, means that attacks on synology are less common nowadays.

    I sincereley hope that QNAP can follow those steps.

    PS: The general consensus of the Intewebs (which coincides with my opinion) is that with QNAP most of the buck you pay goes to the HW you receive, and with Synology, most of the buck you pay goes to the SW. This string of attacks seems to be a consequience of the different mentalities of both companies...

    • by tlhIngan ( 30335 )

      PS: The general consensus of the Intewebs (which coincides with my opinion) is that with QNAP most of the buck you pay goes to the HW you receive, and with Synology, most of the buck you pay goes to the SW. This string of attacks seems to be a consequience of the different mentalities of both companies...

      Odd, since QNAP and Synology are considered to be the top tier NAS manufacturers out there - if you want a no-nonense NAS you opt for one or the other. The other NAS offerings are typically wannabe offering

    • by AmiMoJo ( 196126 )

      Maybe the best option is to buy the QNAP hardware but run TrueNAS on it. Best of both worlds.

      TrueNAS lets you run other open source stuff like Duplicati for backups.

    • by spads ( 1095039 )
      Interesting. I was recently reflecting on how pleased I was (LOVE IT!) with my Synology, after looking carefully at both of them a couple years ago. The thing that ultimately swayed me was that QNAP might have you locked into their hardware if your NAS should fail for some reason, whereas Synology drives could be plugged in somewhere else. That was enough for me. Mine is performing very well, though haven't replaced or added any drives up to now.
  • How does this Deadbolt ransomeware compromise the devices in the first place? A misconfigured web service? Never connect your confidential servers to a web service /s

    "For People Already Affected by The Ransomware - Deadbolt [reddit.com]

    Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.

    Change web server ports Default ports are 80 and 443."
  • by nuckfuts ( 690967 ) on Wednesday September 07, 2022 @03:51PM (#62860581)
    Although the Photo Station app is installed by default, it is easily turned off if you don't use it. Also, the vulnerability is mainly of concern to anyone who chose to expose the Photo Station app onto the Internet. (That is, setup some kind of port forwarding on their router).
    • Isn't something installed by default that can be turned off an opt-out problem, if anything?

      • Isn't something installed by default that can be turned off an opt-out problem, if anything?

        Good point. I was thinking more about the choice to forward ports through one's router.

    • by luca ( 6883 )
      No, a colleague has been infected and he had no open ports to the nas, he exclusively used myQNAPcloud.
      • No, a colleague has been infected and he had no open ports to the nas, he exclusively used myQNAPcloud.

        Interesting. That's not what QNAP is saying in their advisory [qnap.com], which refers to "exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet".

  • by NimbleSquirrel ( 587564 ) on Wednesday September 07, 2022 @05:02PM (#62860765)

    Deadbolt is not new. They have known about it since early this year.

    Back in February QNAP pushed an update to QNAP devices, completely unannounced. Many users reported failed updates lost data and/or bricked some units as a result.

    A lot of users, myself included, had specifically disabled automatic updates but QNAP was somehow able to push out the update anyway. This, more than DeadBolt itself, annoyed me the most. If QNAP could bypass users to install updates (regardless of whether automatic updates had been sneakily re-enabled in a prior update, or of QNAP had some method) then I could no longer trust them on my network or with my data. I pulled the NAS, built a new server, and have repurposed the NAS hardware for something else with a new OS (the hardware itself is still pretty good).

    The fact that DeadBolt is still an issue for QNAP after seven months just tells me I was completely justified to ditch them when I did.

  • by suss ( 158993 )

    Looks like Zyxel [securityweek.com] has a vulnerability too...

  • No such troubles, just keep the distro updated and do the standard hardening. Of course, it takes more space, but on the plus side, I can also use it as firewall and I can put in whatever disks I like.

Where there's a will, there's an Inheritance Tax.

Working...