QNAP NAS devices under ransomware attack
QNAP NAS device owners are once again under attack by ransomware operators, who are exploiting a recently fixed vulnerability to lock data on vulnerable devices by using the 7-Zip open-source file archiver utility.
According to Lawrence Abrams, the ransomware gang has managed to “earn” $260,000 in five days, as many unfortunate victims decided to pay the ransom of 0.01 Bitcoins (around $550) to receive the password that would unlock their files.
What happened?
On April 16, QNAP has anounced that they have fixed:
- CVE-2020-2509, a command injection vulnerability in QTS and QuTS hero, and
- CVE-2020-36195, an SQL injection vulnerability affecting QNAP NAS running Multimedia Console or the Media Streaming add-on
On April 22, the company anounced that they have also resolved CVE-2021-28799, an improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 Hybrid Backup Sync, on April 16.
QNAP initially believed that the ransomware operation called Qlocker exploited CVE-2020-36195 (the SQL injection flaw) to gain access to internet-connected NAS devices and lock users’ data, but it turned out to be CVE-2021-28799 (the improper authorization vulnerability, i.e., a backdoor account).
In any case, the attackers likely managed to compromise thousands of devices belonging to both consumers and small-to-medium businesses (SMBs) and lock the data found on them. Abrams has calculated that over 500 of the victims have paid the ransom.
Some 50 victims have been lucky to have been helped by security researcher Jack Cable to recover their files without a password due to a bug in 7-Zip. Unfortunately, that window of opportunity didn’t last long:
Update: it looks like this may have been fixed by the ransomware operators, unfortunately. I apologize if I was not able to get to yours before it was fixed. In total decrypted around 50 keys worth $27k.
— Jack Cable (@jackhcable) April 22, 2021
What now?
Those lucky QNAP NAS owners that have not yet been hit by the attackers are advised to implement the offered updates to stymie these and other ransomware gangs.
They should follow the advice offered by QNAP, as well as implement best practices for enhancing the devices’ security, since they are often targeted by attackers.
UPDATE (April 30, 2021, 05:00 a.m. PT):
“The QNAP security team has detected suspicious ransomware in the wild known as AgeLocker, which has the potential to affect QNAP NAS devices,” QNAP warned on Thursday, but did not say which vulnerabilities the attackers are exploiting.
“To secure your device, we strongly recommend regularly updating QTS or QuTS hero and all installed applications to their latest versions to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. To further secure your device, do not expose your NAS to the internet. If you must connect your NAS to the internet, we highly recommend using a trusted VPN or a myQNAPcloud link.”