NAS devices under attack: How to keep them safe?

Network-attached storage (NAS) devices are a helpful solution for storing, managing, and sharing files and backups and, as such, they are an attractive target for cyber criminals.

They are most often used by consumers (on home networks) and small-to-medium businesses (on business networks).

Palo Alto Networks researchers recently found some 240,000 QNAP and approximately 3,500 Synology NAS devices exposed to the public internet.

Other vendors offering NAS solutions include Zyxel, Western Digital, Seagate, LenovoEMC, and others.

A variety of attacks

Since the start of the year, a variety of NAS devices have been hit by ransomware gangs, botnet operators, as well as attackers who simply decided to wipe the data without warning and install a trojan.

In April 2021, QNAP warned about ransomware attackers exploiting a recently fixed vulnerability (CVE-2021-28799) to lock data on vulnerable devices. (The year before 62,000 QNAP NAS devices had been infected with persistent QSnatch malware.)

Earlier this month, Synology warned about an uptick in brute-force attacks against Synology devices.

“Synology’s security researchers believe the botnet is primarily driven by a malware family called ‘StealthWorker.’ At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities,” the company noted.

“These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware. Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.”

Palo Alto Networks researchers said on Tuesday that they’ve discovered a new variant of eCh0raix ransomware targeting both Synology and QNAP NAS devices, either by leveraging CVE-2021-28799 or engaging in brute-force attacks aimed at discovering admininstrator login credentials.

Heimdal Security CEO Morten Kjaersgaard has also shared his personal experience of attackers attempting to brute force his home Synology NAS server.

“The MO of a brute force attack is rudimentary, but highly efficient – it implies playing the guessing game to find out the target device’s username & password and actually uses cryptographic functions to derive device auth credentials. To get around auth processes, attackers might use scripted apps and bots that test common or even legitimate credentials from data breaches lists that can be found – yes, you’ve guessed right – on the dark web,” he noted.

“Apart from obtaining credentials for ransomware deployment, brute force attackers hunt for personal information, try to impersonate users, spread phishing links or other false materials, or redirect domains to fraudulent websites.”

How to keep NAS devices safe

According to Bitdefender, the number of vulnerabilities found in NAS devices increased by 198% YoY from 2019 to 2020.

The April attacks against QNAP NAS devices were successful because the attackers leveraged what was, at that time, a zero-day exploit of an upatched vulnerability.

Nevertheless, administrators of NAS devices should regularly update their firmware / software. Signing up for vendor alerts about security updates and active attacks is a good idea.

Passwords, epecially for admin accounts, should be complex, long and unique, to make brute-forcing more difficult for attackers. Multi-factor authentication should be employed, where possible.

Internet access to the device can be disabled (if it’s not needed) or allowed only from certain IP addresses (e.g., devices on the home or business network). NAS vendors and their community forums provide instructions on how to do that, as well as other general advice on how to keep one’s NAS devices safe.