Recently, researchers have monitored a large number of attacks against QNAP, and the malicious software developed by the attacker can spread horizontally through USB disk and network sharing.
Such devices are usually built by individuals or used in enterprises and institutions. Since the NAS devices of QNAP enable network sharing by default, mobile devices such as office hosts, personal computers and even mobile phones of enterprises and institutions may also be infected after being attacked. The attacker can launch further attacks by deploying malicious programs such as secret theft, blackmail and remote control, causing greater data damage and property loss to the QNAP device owner or the user accessing the QNAP device. According to monitoring, the attack group has been preparing for the attack for more than one year.
According to the analysis, at present, the attacker only aims at capturing and does not launch more attacks. The attacker originally expected to infect the user’s host by hanging a horse on the web page. This idea is mainly aimed at attacking the user’s browser, and the cost is high. Generally, the target host is controlled by the browser to obtain the host authority, which often needs the assistance of the vulnerability or the use of social engineering to guide the user to actively click and run the malicious software.
However, in fact, the attacker can also choose to insert malicious executable files into the stored files or modify the stored document data, add macro viruses, add new exploit documents, insert template links to achieve remote template injection, and infect more people who use storage and download services.
After an attacker controls a large number of QNAP NAS devices, he can exploit the networking and sharing characteristics of QNAP NAS devices. Not only for the personnel deploying the device, but also for the personnel using the storage service or the download service.
At this time, the attacker can deliver high-threat viruses such as blackmail software and remote control, implant them into the user’s computer, collect user information, or even enter the office network through the personal computer of the employee, and implant blackmail viruses in the office network, thus causing large-scale data leakage and blackmail encryption attacks. Through analysis, Lvmeng technology Fuying lab discovered undisclosed malicious modules. This program matrix uses advanced countermeasures such as misleading analysis to hide the malicious modules. At present, no manufacturer has disclosed specific malicious acts.
Network storage device related attack events
Network attached storage (NAS) is an intelligent storage device that can centrally store photos, movies, music, files and other data. It is often used as a backup server for private cloud and file data. By connecting NAS devices to home or office networks, a safe and easy to manage shared space can be established, and the data of multiple devices can be centrally managed, shared and synchronized. In addition to being used for network storage, NAS devices can also be combined with technologies on cloud infrastructure to help users complete tasks such as artificial intelligence analysis, edge computing and information integration applications.
As a network storage device, the security protection capability of NAS devices is weak, and the following security problems mainly exist:
- Weak password is widely used
- The admin administrator account is opened by default
- Use of default HTTP and HTTPS ports
- Lack of safety protection software
NAS devices are often used as private cloud servers to back up and share sensitive files, so they are favored by hackers. In recent years, there have been many network attacks against NAS devices.
In October 2019, researchers from Finland’s national network security center (ncsc-fi) found that thousands of QNAP NAS devices were infected with QSnatch malware, and malicious code was injected into the firmware. These malicious codes will collect the login credentials on the victim device, and can download the malicious code from the C2 server and execute it. The German computer emergency response team (CERT-Bund) said that about 7000 NAS devices in Germany were attacked by QSnatch.
In June 2020, a hacker organization called “Cl0ud SecuritY” invaded the old Lenovo NAS device, erased user files, and left a blackmail letter, asking the victim to pay a ransom of $200-275 to recover data.
In June 2019, the eChoraix extortion software (QNAPCrypt) group captured QNAP NAS devices using weak passwords through password breaking and launched a extortion attack. In June 2020 and December 2021, the group attacked QNAP equipment twice, demanding to pay a ransom of several thousand dollars.
Since January 2022, QNAP users have been attacked many times by deadbolt blackmail organizations. In June 2022, QNAP reminded customers to use high-strength passwords and avoid using the default 8080 and 443 ports.
A large number of government departments, scientific research institutions, enterprises, institutions and individuals have realized private cloud storage solutions through QNAP devices, and stored a large amount of information, including important documents, technical data, personal photos and videos. Once attacked by the network, it will bring great losses to these institutions and individuals.
Users of QNAP and other network storage devices should do a good job in security protection from the following aspects:
- Set complex passwords for equipment accounts
- Change the default HTTP and HTTPS ports
- Close unnecessary services and ports
- Update the firmware and operating system in a timely manner, and it is better to turn on the automatic update function
- Back up files regularly