QNAP issues ransomware warning to users: secure your devices or disconnect unprotected NAS

Jimmy2x

Jimmy2x

Posts: 239   +29
Staff
A hot potato: QNAP issued a security statement urging their NAS users to take immediate action and secure their data against ongoing ransomware and brute force attacks. While the responsible parties have not been identified, the widespread attacks appear to target any vulnerable network devices. The company has provided security setting instructions and mitigation actions that any QNAP NAS users should implement immediately.

A security statement released by the storage appliance provider on Friday issued very clear instruction to QNAP NAS users: take immediate action to secure your network appliances or take them offline. The attacks, which appear to indiscriminately target any network device exposed to the Internet, pose the most risk to devices with internet connectivity but little to no protection in place.

QNAP users with the ability to access and secure their devices can verify whether their device is exposed to the internet using the QNAP Security Counselor. According to the company's statement, the user's NAS is exposed and at high risk if the Security Counselor console displays a result stating, "The System Administration service can be directly accessible from an external IP address..."

In the event that a user's NAS is exposed to the Internet, QNAP's security statement provides instructions to determine which ports are exposed as well as how to disable port forwarding on the user's router and UPnP on the NAS device.

Port forwarding, also known as port mapping, redirects requests from the original address and port to another address and port. Some users and administrators no longer view port forwarding as a major risk, as software firewalls packaged with most modern operating systems are capable of providing adequate protection when properly configured.

However, QNAP has specifically stated that enabling port forwarding, UPnP, or demilitarized zone (DMZ) functionality can result in the NAS connecting directly to the internet, making the device vulnerable to attack. The recommended preference is for the NAS to remain behind a user's router and firewall with no public IP address.

NAS users without access to or familiarity with the Security Counselor console still have one last nuclear option--simply disconnect the device, terminating any potential connectivity to the outside world. While it may seem drastic, the fact remains that attackers scanning for vulnerable targets can't hit what they can't see.

Image credit: Michael Geiger

Permalink to story.

https://www.techspot.com/news/92909-qnap-issues-warning-users-secure-or-disconnect-unprotected.html

 
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
 
  • Like
Reactions: Reinette Tineker and Raytrace3D
Well considering what happened last year where so many people got hit by ramsomware before they even bother instructing anybody to do anything at all and their advice was at one point "Just let it happen we'll recover it later" this must be extremely serious then.

Seriously the more I look at these NAS solution the more I am persuaded to put in the time and the work to just run a truenas core or truenas scale box instead.
 
Last edited:
  • Like
Reactions: passwordistaco
"Some users and administrators no longer view port forwarding as a major risk, as software firewalls packaged with most modern operating systems are capable of providing adequate protection when properly configured." what a made-up bullshit statement is that?
 
  • Like
Reactions: Reinette Tineker and eldakka
I'm pretty confident in my network security and I don't usually keep anything important on my NAS. If I do it's encrypted. All my important stuff is on a RaspPi and the whole thing is encrypted.

I know I shill linux a lot around here but if anyone wants a REAL reason to have a dedicated linux PC it's to keep important documents securely stored.
 
ScottSoapbox said:
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
Click to expand...
But... but... my microwave NEEDs access to the internet so it can tell my toaster when my bagel is ready.
 
  • Like
Reactions: Haakon K, J Oelschl and eldakka
The real problem they are sold as plug and play - once the average punter - gets it set up so he can upload to it , and the WWW can see it - they forget about it - probably even forget their master password for admin - the other option for them is cloud based .
I share nothing over WWW - I may hand out Netflex to extended family etc - I put a nephew and niece on my phone plan- because I have an unlimited plan - I don't really use .
Look at data hoarders once a year - see topics about "friends" sharing log in details - or streaming all day (probably just letting it run unviewed ) , demanding latest crap ASAP - heh heh as you get older you get more brutal with leeches ( I would - do I look like a free-love hippy ? )
 
As someone actually hit by QLocker on the 6th, I would say don't bother trying to run any of QNAPs advertised cool features such as QuMagie or remote sync (private cloud). My admin account was turned off and the other two accounts on that NAS had 2FA set up. Every time either of those two accounts were used from a new device, it correctly prompted for the Google Authenticator app code. Whether it was using QuMagie for the first time, simply logging in or QSync, QFile, doesn't matter the prompt always came up.

So my logic says that one or more of those services has a backdoor/vulnerability that QNAP will not disclose just like Photo Station and Hybrid Sync have had in the past (April 2020) and QNAP simply are not doing a good enough job pen testing their software.

Their response to me giving them feedback on my account of events seems to indicate they're pretty frantically trying to find how the black mailers are getting in.

Don't bother trying to secure them just take them off line fully for now. Something more sinister than account hacking/brute force attacking going on here.....
 
  • Like
Reactions: Puiu, Burty117 and sdms96825
Ramrunner said:
As someone actually hit by QLocker on the 6th, I would say don't bother trying to run any of QNAPs advertised cool features such as QuMagie or remote sync (private cloud). My admin account was turned off and the other two accounts on that NAS had 2FA set up. Every time either of those two accounts were used from a new device, it correctly prompted for the Google Authenticator app code. Whether it was using QuMagie for the first time, simply logging in or QSync, QFile, doesn't matter the prompt always came up.

So my logic says that one or more of those services has a backdoor/vulnerability that QNAP will not disclose just like Photo Station and Hybrid Sync have had in the past (April 2020) and QNAP simply are not doing a good enough job pen testing their software.

Their response to me giving them feedback on my account of events seems to indicate they're pretty frantically trying to find how the black mailers are getting in.

Don't bother trying to secure them just take them off line fully for now. Something more sinister than account hacking/brute force attacking going on here.....
Click to expand...
I've had attacks on 2 QNAP NAS devices. It was a nightmare to deal with :(
 
ScottSoapbox said:
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
Click to expand...
Other companies push towards mandatory TPM for universal FDE on all devices, and cloud storage with 2FA, yet other peeps (or maybe even the same people) still complain about that, too.

The morale of the story is that no matter what you do or don't do, people will complain.
 
Still don't understand why you would buy one of these devices vs making your own as you get so much more for your money and (more importantly) so much more control over your device vs having to play security hot potato and hope that QNAP /Synology's devs actually bothered to fix the security holes - even from an ease of use standpoint, with things like Unraid / TrueNAS / OpenMediaVault etc. available, it's far from difficult to set up a couple drives, and you have more capabilities available to you vs what the NAS brands think you may need / want to support.
 
Raytrace3D said:
But... but... my microwave NEEDs access to the internet so it can tell my toaster when my bagel is ready.
Click to expand...
Instead of network access, instead, I say we give ever appliance speech recognition and generation, so they can literally talk to one another audibly. And then give them all the personality of kitchen staff in a restaurant, complete with substance abuse problems.
 
  • Like
Reactions: Raytrace3D
I have been hacked by all of this . I cannot get my device Qfinder keeps telling me it can not find my Nas . Any suggestions how to fix it The Company have not responded and they have no technician available is all I get . I spend over 600 dollars on the device and this is all I get . A shame
 
Ramrunner said:
As someone actually hit by QLocker on the 6th...
Click to expand...
Sorry to hear that. I have an older QNAP TS 251 which I must admit I quite like. Obviously admin password set but I need to have basic port forwarding for bittorrent. I don't use many of the features outside of file storage. I already backup the files between the QNAP and my PC but obviously I don't want the pain of getting the device infected. At the moment I've just pulled the cord and plug it in when I want to watch media or access files.

Can I set how many failed attempts are made? Can I stop access from outside my internal network? Would that make a difference? Any suggestions generally?
 
You must log in or register to reply here.

Similar threads

A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
186
Puiu
Puiu
A
QNAP's NAS devices affected by a new critical security issue, patches are available
Replies
5
Views
655
Puiu
Puiu
A
Zyxel warns about new critical vulnerabilities found in its NAS devices
Replies
1
Views
254
Vanderlinde
V

Latest posts

Back