QNAP issues ransomware warning to users: secure your devices or disconnect unprotected NAS

Jimmy2x

Posts: 84   +8
Staff
A hot potato: QNAP issued a security statement urging their NAS users to take immediate action and secure their data against ongoing ransomware and brute force attacks. While the responsible parties have not been identified, the widespread attacks appear to target any vulnerable network devices. The company has provided security setting instructions and mitigation actions that any QNAP NAS users should implement immediately.

A security statement released by the storage appliance provider on Friday issued very clear instruction to QNAP NAS users: take immediate action to secure your network appliances or take them offline. The attacks, which appear to indiscriminately target any network device exposed to the Internet, pose the most risk to devices with internet connectivity but little to no protection in place.

QNAP users with the ability to access and secure their devices can verify whether their device is exposed to the internet using the QNAP Security Counselor. According to the company's statement, the user's NAS is exposed and at high risk if the Security Counselor console displays a result stating, "The System Administration service can be directly accessible from an external IP address..."

In the event that a user's NAS is exposed to the Internet, QNAP's security statement provides instructions to determine which ports are exposed as well as how to disable port forwarding on the user's router and UPnP on the NAS device.

Port forwarding, also known as port mapping, redirects requests from the original address and port to another address and port. Some users and administrators no longer view port forwarding as a major risk, as software firewalls packaged with most modern operating systems are capable of providing adequate protection when properly configured.

However, QNAP has specifically stated that enabling port forwarding, UPnP, or demilitarized zone (DMZ) functionality can result in the NAS connecting directly to the internet, making the device vulnerable to attack. The recommended preference is for the NAS to remain behind a user's router and firewall with no public IP address.

NAS users without access to or familiarity with the Security Counselor console still have one last nuclear option--simply disconnect the device, terminating any potential connectivity to the outside world. While it may seem drastic, the fact remains that attackers scanning for vulnerable targets can't hit what they can't see.

Image credit: Michael Geiger

Permalink to story.

 

ScottSoapbox

Posts: 293   +520
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
 

Dimitriid

Posts: 2,095   +4,001
Well considering what happened last year where so many people got hit by ramsomware before they even bother instructing anybody to do anything at all and their advice was at one point "Just let it happen we'll recover it later" this must be extremely serious then.

Seriously the more I look at these NAS solution the more I am persuaded to put in the time and the work to just run a truenas core or truenas scale box instead.
 
Last edited:

theruck

Posts: 546   +343
"Some users and administrators no longer view port forwarding as a major risk, as software firewalls packaged with most modern operating systems are capable of providing adequate protection when properly configured." what a made-up bullshit statement is that?
 

yRaz

Posts: 4,339   +4,981
I'm pretty confident in my network security and I don't usually keep anything important on my NAS. If I do it's encrypted. All my important stuff is on a RaspPi and the whole thing is encrypted.

I know I shill linux a lot around here but if anyone wants a REAL reason to have a dedicated linux PC it's to keep important documents securely stored.
 

Raytrace3D

Posts: 333   +403
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
But... but... my microwave NEEDs access to the internet so it can tell my toaster when my bagel is ready.
 

kiwigraeme

Posts: 988   +739
The real problem they are sold as plug and play - once the average punter - gets it set up so he can upload to it , and the WWW can see it - they forget about it - probably even forget their master password for admin - the other option for them is cloud based .
I share nothing over WWW - I may hand out Netflex to extended family etc - I put a nephew and niece on my phone plan- because I have an unlimited plan - I don't really use .
Look at data hoarders once a year - see topics about "friends" sharing log in details - or streaming all day (probably just letting it run unviewed ) , demanding latest crap ASAP - heh heh as you get older you get more brutal with leeches ( I would - do I look like a free-love hippy ? )
 

Ramrunner

Posts: 8   +8
As someone actually hit by QLocker on the 6th, I would say don't bother trying to run any of QNAPs advertised cool features such as QuMagie or remote sync (private cloud). My admin account was turned off and the other two accounts on that NAS had 2FA set up. Every time either of those two accounts were used from a new device, it correctly prompted for the Google Authenticator app code. Whether it was using QuMagie for the first time, simply logging in or QSync, QFile, doesn't matter the prompt always came up.

So my logic says that one or more of those services has a backdoor/vulnerability that QNAP will not disclose just like Photo Station and Hybrid Sync have had in the past (April 2020) and QNAP simply are not doing a good enough job pen testing their software.

Their response to me giving them feedback on my account of events seems to indicate they're pretty frantically trying to find how the black mailers are getting in.

Don't bother trying to secure them just take them off line fully for now. Something more sinister than account hacking/brute force attacking going on here.....
 

Puiu

Posts: 5,476   +4,400
TechSpot Elite
As someone actually hit by QLocker on the 6th, I would say don't bother trying to run any of QNAPs advertised cool features such as QuMagie or remote sync (private cloud). My admin account was turned off and the other two accounts on that NAS had 2FA set up. Every time either of those two accounts were used from a new device, it correctly prompted for the Google Authenticator app code. Whether it was using QuMagie for the first time, simply logging in or QSync, QFile, doesn't matter the prompt always came up.

So my logic says that one or more of those services has a backdoor/vulnerability that QNAP will not disclose just like Photo Station and Hybrid Sync have had in the past (April 2020) and QNAP simply are not doing a good enough job pen testing their software.

Their response to me giving them feedback on my account of events seems to indicate they're pretty frantically trying to find how the black mailers are getting in.

Don't bother trying to secure them just take them off line fully for now. Something more sinister than account hacking/brute force attacking going on here.....
I've had attacks on 2 QNAP NAS devices. It was a nightmare to deal with :(
 

bviktor

Posts: 789   +1,202
Well, our common stance of "security through obscurity" and/or general laziness is really coming back to bite us, isn't it?

*Maybe* leaving almost everything unlocked, unpatched, exposed, and guarded by people that have zero technical knowledge was a bad idea.

And yet companies and customers are racing to put a computer into everything regardless of if it even has a benefit.
Other companies push towards mandatory TPM for universal FDE on all devices, and cloud storage with 2FA, yet other peeps (or maybe even the same people) still complain about that, too.

The morale of the story is that no matter what you do or don't do, people will complain.
 

VariableSpike

Posts: 80   +101
Still don't understand why you would buy one of these devices vs making your own as you get so much more for your money and (more importantly) so much more control over your device vs having to play security hot potato and hope that QNAP /Synology's devs actually bothered to fix the security holes - even from an ease of use standpoint, with things like Unraid / TrueNAS / OpenMediaVault etc. available, it's far from difficult to set up a couple drives, and you have more capabilities available to you vs what the NAS brands think you may need / want to support.
 

mbrowne5061

Posts: 2,008   +1,202
But... but... my microwave NEEDs access to the internet so it can tell my toaster when my bagel is ready.
Instead of network access, instead, I say we give ever appliance speech recognition and generation, so they can literally talk to one another audibly. And then give them all the personality of kitchen staff in a restaurant, complete with substance abuse problems.
 
I have been hacked by all of this . I cannot get my device Qfinder keeps telling me it can not find my Nas . Any suggestions how to fix it The Company have not responded and they have no technician available is all I get . I spend over 600 dollars on the device and this is all I get . A shame
 

mbk34

Posts: 290   +195
As someone actually hit by QLocker on the 6th...
Sorry to hear that. I have an older QNAP TS 251 which I must admit I quite like. Obviously admin password set but I need to have basic port forwarding for bittorrent. I don't use many of the features outside of file storage. I already backup the files between the QNAP and my PC but obviously I don't want the pain of getting the device infected. At the moment I've just pulled the cord and plug it in when I want to watch media or access files.

Can I set how many failed attempts are made? Can I stop access from outside my internal network? Would that make a difference? Any suggestions generally?