New Wave of Data-Destroying Ransomware Attacks Hits QNAP NAS Devices (arstechnica.com) 23
Network hardware-maker QNAP is urging customers to update their network-attached storage devices immediately to protect them from a new wave of ongoing ransomware attacks that can destroy terabytes of data in a single stroke. From a report: Singapore-based QNAP said recently that it has identified a new campaign from a ransomware group known as DeadBolt. The attacks take aim at QNAP NAS devices that use a proprietary feature known as Photo Station. The advisory instructs customers to update their firmware, suggesting there is a vulnerability that's under exploit, but the company makes no explicit mention of a CVE designation that security professionals use to track such security flaws.
Competitor or Ex-Employee (Score:2)
No CVE (Score:5, Interesting)
suggesting there is a vulnerability that's under exploit, but the company makes no explicit mention of a CVE designation
In other words, we are aware of the vulnerability (probably have been for a while), and didn't want to report it and make it official because we were not aware of any attacks to be able to exploit it deeming it too complex or low likely, and thought we could quietly fix it without letting the entire world know that we had such a flaw, but were caught with an active attack and now need to let people know of the issue....
That probably sums it up better.
Re: No CVE (Score:2)
Caught with their pants down, and fumbling to get them back up.
Re: (Score:2)
Yeah, it's enough to make you think about wearing a kilt when engaged in that sort of exercise.
Re:No CVE (Score:4, Informative)
QTS (Qnap's "OS") is a massive, massive product - it's got about a zillion features, apps, "stations" and "centers" in a confusing array of menus - all implemented as a windowing desktop (in a browser). The attack surface is therefore, pretty expansive. This rash of vulnerabilities won't end any time soon. Anyone with a qnap in any sort of public or semi-public setting probably wants to reconsider their architecture.
FWIW, on mine, I've removed just about every "station" or other app that I don't desperately need - and still, there's an update waiting for me in the "update center" just about every time I log on to the thing. Like Microsoft, updates sometimes include a whole load of new functionality too, so I have to keep going in and cutting back the sprawl of apps I'll never use. Never buying another qnap - they're too much work.
Updates... (Score:2)
I've been in a week long back and forth trying to get a BIOS update.. when previously it was a simple download.
Long time ago, synology had these problems too (Score:4, Informative)
Many moons ago, long before I bought my first NAS in 2016 (DS1515+), Synology suffered a wave of hacker attacks.
Their reaction was to hunker down, and improve/harden the security of all their SW stack. The most user visible fruits of that effort are the "Synology Antivirus Essential" and the "Synology Security Advisor"
The Antivirus is configured by default to scan the NAS' urdenlying OS (Linux) for viruses and threats, is based on the FOSS ClamAV (there are other antivirus options). The security advisor reviews the configuration of the synology security-wise and points out any mistaked you may have made, along with ways to rectify them.
That, coupled with a general hardening of their software, means that attacks on synology are less common nowadays.
I sincereley hope that QNAP can follow those steps.
PS: The general consensus of the Intewebs (which coincides with my opinion) is that with QNAP most of the buck you pay goes to the HW you receive, and with Synology, most of the buck you pay goes to the SW. This string of attacks seems to be a consequience of the different mentalities of both companies...
Re: (Score:2)
Odd, since QNAP and Synology are considered to be the top tier NAS manufacturers out there - if you want a no-nonense NAS you opt for one or the other. The other NAS offerings are typically wannabe offering
Re: (Score:3)
Maybe the best option is to buy the QNAP hardware but run TrueNAS on it. Best of both worlds.
TrueNAS lets you run other open source stuff like Duplicati for backups.
Re: (Score:1)
Deadbolt-infected QNAP devices (Score:2)
"For People Already Affected by The Ransomware - Deadbolt [reddit.com]
Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
Change web server ports Default ports are 80 and 443."
It's largely an opt-in problem (Score:3)
Re: (Score:2)
Re: (Score:2)
Isn't something installed by default that can be turned off an opt-out problem, if anything?
Re: (Score:2)
Isn't something installed by default that can be turned off an opt-out problem, if anything?
Good point. I was thinking more about the choice to forward ports through one's router.
Re: It's largely an opt-in problem (Score:1)
Doesn't it automatically forward the ports?
The vast majority of routers in people's homes have UPnP enabled by default so that devices can forward the incoming ports that they need. NAT is not meant to be a firewall.
Re: (Score:1)
Re: (Score:2)
No, a colleague has been infected and he had no open ports to the nas, he exclusively used myQNAPcloud.
Interesting. That's not what QNAP is saying in their advisory [qnap.com], which refers to "exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet".
DeadBolt is not new (Score:3)
Deadbolt is not new. They have known about it since early this year.
Back in February QNAP pushed an update to QNAP devices, completely unannounced. Many users reported failed updates lost data and/or bricked some units as a result.
A lot of users, myself included, had specifically disabled automatic updates but QNAP was somehow able to push out the update anyway. This, more than DeadBolt itself, annoyed me the most. If QNAP could bypass users to install updates (regardless of whether automatic updates had been sneakily re-enabled in a prior update, or of QNAP had some method) then I could no longer trust them on my network or with my data. I pulled the NAS, built a new server, and have repurposed the NAS hardware for something else with a new OS (the hardware itself is still pretty good).
The fact that DeadBolt is still an issue for QNAP after seven months just tells me I was completely justified to ditch them when I did.
Zyxel (Score:2)
Looks like Zyxel [securityweek.com] has a vulnerability too...
That is why my "NAS" is a Linux PC (Score:2)
No such troubles, just keep the distro updated and do the standard hardening. Of course, it takes more space, but on the plus side, I can also use it as firewall and I can put in whatever disks I like.