Qnap Hacked

[Kimbery Challacombe]

Asmany as 29,000 network storage devices manufactured by Taiwan-based QNAP are vulnerable to hacks that are easy to carry out and give unauthenticated users on the Internet complete control, a security firm has warned.

The vulnerability, which carries a severity rating of 9.8 out of a possible 10, came to light on Monday, when QNAP issued a patch and urged users to install it. Tracked as CVE-2022-27596, the vulnerability makes it possible for remote hackers to perform a SQL injection, a type of attack that targets web applications that use the Structured Query Language. SQL injection vulnerabilities are exploited by entering specially crafted characters or scripts into the search fields, login fields, or URLs of a buggy website. The injections allow for the modifying, stealing, or deleting of data or the gaining of administrative control over the systems running the vulnerable apps.

On Tuesday, security firm Censys reported that data collected from network scan searches showed that as many as 29,000 QNAP devices may not have been patched against CVE-2022-27596. Researchers found that of the 30,520 Internet-connected devices showing what version they were running, only 557, or about 2 percent, were patched. In all, Censys said it detected 67,415 QNAP devices. The 29,000 figure was estimated by applying the 2 percent patch rate to the total number of devices.

As reported by Bleeping Computer, QNAP devices over the years have been successfully hacked and infected with other ransomware strains, including Muhstik, eCh0raix/QNAPCrypt, QSnatch, Agelocker, Qlocker, DeadBolt, and Checkmate. Users of these devices should take action now.

Taipei, Taiwan, March 24, 2021 - QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, considers product security its top priority. With increasing reports of brute-force attacks, QNAP urges its users to take immediate action to enhance the security of their devices. These actions include using strong passwords, changing the default access port number, and disabling the admin account.

To take steps to avoid being hacked, QNAP recommends that users do not expose their devices on public networks. Using default network ports for public services should be avoided as well. Other steps to strengthen the security of QNAP appliances and mitigate brute-force attacks include setting complex (strong) passwords for user accounts, enabling password policies, and disabling the admin account. For more information, please refer to the following FAQ:

My NAS is a dual HDD backup system that has all of my data on it. I have however got a single disc NAS mirror in the garage (in case the house burns down) but I imagine most people have a single NAS backup.

I have everything on my main HDD in my workstation and that is backed up to a second HDD also in my workstation and also to a single large NAS drive in another room (RAID etc is generally asking for trouble and unnecessary in these halcyon days of large cheap single drives) and then anything important is also backed up to the cloud.

If you have logged something with qnap I would switch off your NAS and and leave it until they call back. What is have read is they only stand a chance if nothing else happens, eg. other files overwriting what is there. The longer it is switched on with you trying different things the more chance there is of stuff being damaged

The only way I can access if from outside my house (that I know of) is either directly through the apps on my phone, or through the QNAPCloud account (which from what vanilla83 says up there I should delete/disable.

Yes. If someone had got into the NAS then they could also get your backup and are actually very likely to as that is their job. The paranoid amongst us alternate USB drives so they can leave one plugged in and then swap it with the other one

NAS is not RAID though. You can have a single large drive NAS device or you could have a RAID device that is not NAS. NAS is brilliant, RAID is just not necessary at all these days in the vast majority of applications, particularly those relevant to the home user.

You have far more chance pulling the data off a single large drive than you do recreating the data held across 2 or 4 drives in a RAID array accordingly. Plus, if you have your data backed up in a couple of places it is trivial to replace a failed drive in box A and copy the data back across from box B.

As things stand I have my data on three large drives. It is a very quick job to replace any one of those and get it all back up and running and I can do so using any PC around. The same cannot be said when my RAID box died. I basically binned the box, took the drives out, formatted them and put them in single drive NAS enclosures and that is what I run.

and sorry to distract from the OP. It is fairly standard to initially trust the NAS as it is just a copy of the computer but then over time it ends up having the only copy of some old data and becomes a single point of failure without anyone noticing :(.

thanks for the nudge, Ive logged in to mine and run the Security counseller, which i hadnt setup properly.

Mines dual drive mirroring each other to provide redundency against drive failiure, but i suppose that doesnt to anything against an attack.

Easiest thing to do for me is going to be to order another drive in an enclosure, mirror the NAS onto it, and then unplug it while its not doing the backup and park it on a shelf.

It would appear that the Deadbolt ransomware attack that has been a persistent pain for QNAP (and other NAS brands) in 2022 continues to remain current, with new reports emerging of further attacks of NAS systems in September 2022. The vulnerability that has been reported to be being exploited is in the QNAP Photo Station application and although a day one patch for the application for all current use QTS software systems has been issued, it has still resulted in users being hit in this new wave of attacked by the deadbolt ransomware group. Although the scale of this latest attack does not match that of previous attacks by the group, it is worth highlighting that the encryption of how this ransomware deploys and presentation to the user upon execution have changed a little, so even if you are not affected, it might still be worth getting clued up on this. In this article, I will cover everything that is known so far about this Photo Station vulnerability that was exploited, why deadbolt is still a thing, how it attacks, what you can do to avoid it and what can you do if you have been hit.

QNAP highlighted this vulnerability on their security advisor page, here under ID QSA-22-24 and state that they detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure. This is not via the myQNAPCloud services, but rather users allowing remote access with open router ports, but no VPN or restrictive access rules in place. QNAP issued the following statement:

QNAP Product Security Incident Response Team (QNAP PSIRT) had made the assessment and released the patched Photo Station app for the current version within 12 hours. QNAP urges all QNAP NAS users to update Photo Station to the latest available version. QuMagie is a simple and powerful alternative to Photo Station. We recommend using QuMagie to efficiently manage photo storage in your QNAP NAS. We strongly urge that their QNAP NAS should not be directly connected to the Internet. This is to enhance the security of your QNAP NAS. We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. This can effectively harden the NAS and decrease the chance of being attacked.

Additionally, this warning that is displayed to the end user also has an additional note directed towards QNAP themselves that highlights that they are willing to share the nature of the exploited vulnerability for 5BTC. See here:

First and foremost, it is INCREDIBLY IMPORTANT that users understand the risks of allowing remote access to their NAS system (not just QNAP, but ANY NAS Drive) without specific port discipline, a VPN, a Firewall and/or custom admin credential/enabling. In the case of this recent resurgence of the ransomware attack that was executed by the Deadbolt group, it is important to note that it is made possible by two KEY VARIABLES! Weaknesses and Opportunity.

An Opportunity (in the context of ransomware and malware attacks) can largely be defined as an open door (no matter how small) that can be used to inject a command to the NAS as an administrator (eg. encrypt everything). THIS is where one of the biggest misconceptions (and indeed finger-pointing) happens when an incident of ransomware, malware or data loss occurs. A vulnerability in a software platform (especially when the bulk of software in common use today is built on Linux universally) is only any use when it can be executed. So, in the case of a NAS vulnerability, such as the Photo Station vulnerability that has been identified, it can only be exploited if the NAS user has allowed external access to their NAS via the internet. This access may well be behind user login credentials, but lacked the barrier of a VPN, a Firewall setup with amply restrictions, trusted access credentials/identity, limited/zero admin control, 2-step verification, specific port access to a GUI and many other restrictions/limitations/authentications that can be enabled. Not all these hurdles and/or barriers are as effective as others (with some vulnerabilities being built on backend access), but all/most of these should be considered when allowing any form of external access to your NAS outside of your local network. Equally, you NEED to become more acquainted with your router! Get into your router and reactive UPnP settings, as this eliminates the possibility of applications on your NAS inadvertently opening ports remotely without your direct knowledge.

3a8082e126