Taiwan-based network-attached storage (NAS) maker QNAP urges customers to enable firmware auto-updating on their devices to defend against active attacks.
According to the company, the attackers target a vulnerability patched in December, allowing them to run arbitrary code on vulnerable systems.
“Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack,” the NAS maker said today.
“On January 27, 2022, QNAP set the patched versions of system software as ‘Recommended Version.’ If auto update for ‘Recommended Version’ is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.”
You can find more information on the Auto Update feature and how it can be toggled on or off in today’s press release.
DeadBolt ransomware attacks
While the company did not name the threat actors behind these ongoing attacks, the warning comes after a wave of attacks targeting Internet-exposed QNAP devices with DeadBolt ransomware and asking victims to pay 0.03 bitcoins (approximately $1,100) for a decryption key.
It was later revealed that QNAP force installed the update needed to block attackers from exploiting the QSA-21-57 bug after thousands of customers had their data encrypted in DeadBolt attacks.
QNAP told BleepingComputer that they forced-installed this update as they believe the threat actors are using the remote code execution vulnerability fixed in the 188.8.131.521 firmware version and mentioned in today’s announcement.
According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:
- QTS 184.108.40.2061 build 20211221 and later
- QTS 220.127.116.112 build 20211223 and later
- QuTS hero h18.104.22.1682 build 20211222 and later
- QuTS hero h22.214.171.1242 build 20211223 and later
- QuTScloud c126.96.36.1999 build 20220119 and later
However, a customer said in the QNAP forum that they were encrypted even when they had this firmware version installed, indicating that the threat actors are likely exploiting a different vulnerability.
Including the DeadBolt ransomware alert, QNAP issued three warnings in the last 12 months to alert customers of ransomware attacks targeting their Internet-exposed NAS devices.