QNAP has addressed a important vulnerability permitting attackers to log into QNAP NAS (network-attached storage) gadgets utilizing hardcoded credentials.
The corporate says that the safety bug is already mounted within the following HBS variations and advises prospects to replace the software program to the most recent launched model:
- QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
- QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
- QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
To replace HBS in your NAS machine, you must log into QTS or QuTS hero as administrator. Subsequent, seek for “HBS 3 Hybrid Backup Sync” in App Middle, after which click on Replace and OK to replace the applying (the Replace possibility isn’t obtainable if HBS is already updated.)
Whereas QNAP printed the safety asserting that CVE-2021-28799 was mounted at this time, the app’s launch notes for version 16.0.0415 lists it as mounted virtually every week in the past, on April sixteenth.
A QNAP spokesperson was not obtainable for remark when contacted by BleepingComputer earlier at this time to supply extra data on the rationale behind delaying to reveal the hardcoded credentials vulnerability disclosure.
On the identical day, QNAP mounted two different HBS command injection vulnerabilities, in addition to two extra important vulnerabilities (a command injection bug in QTS and QuTS hero and an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On) that might permit attackers to realize full entry to NAS gadgets.
Ongoing Qlocker ransomware marketing campaign focusing on QNAP customers
Essential safety bugs reminiscent of these permit risk actors to take over NAS gadgets and, in some instances, deploy ransomware to encrypt the customers’ information and ask hefty ransoms for a decryptor.
QNAP instructed BleepingComputer that they imagine a brand new ransomware pressure often known as Qlocker exploits the SQL Injection vulnerability to encrypt knowledge on susceptible gadgets.
This exactly what has been taking place since no less than April nineteenth, when attackers behind a massive campaign deploying a brand new ransomware pressure often known as Qlocker began transferring QNAP prospects’ information in password-protected 7zip archives and asking for ransoms.
Since then, BleepingComputer’s ransomware assist discussion board has seen a substantial quantity of exercise, and ID-Ransomware has recorded a surge of Qlocker pattern submissions from victims.
QNAP gadgets focused by ransomware earlier than
Qlocker isn’t the primary ransomware to focus on QNAP gadgets, on condition that they’re generally used to retailer delicate private information and are the proper leverage to drive victims into paying a ransom to decrypt their knowledge.
In June 2020, QNAP warned of eCh0raix ransomware attacks focusing on Photograph Station app safety flaws.
eCh0raix (aka QNAPCrypt) returned one year later, making an attempt to realize entry to QNAP gadgets by exploiting recognized vulnerabilities and brute-forcing accounts with weak passwords.
QNAP additionally alerted prospects in September 2020 of an AgeLocker ransomware marketing campaign targeting publicly exposed NAS devices by exploiting older and susceptible Photograph Station variations.
QNAP prospects are suggested to undergo the next process to secure their NAS devices and verify for malware:
- Change all passwords for all accounts on the machine
- Take away unknown consumer accounts from the machine
- Be certain the machine firmware is up-to-date, and all the functions are additionally up to date
- Take away unknown or unused functions from the machine
- Set up QNAP MalwareRemover software through the App Middle performance
- Set an entry management record for the machine (Management panel -> Safety -> Safety stage)