The IT Nerd

Yesterday I posted a story asking who is to blame for QNAP’s security issues (Spoiler alert: Mostly everyone). But I got a couple of emails asking how they should secure their NAS. Now QNAP have put out their own recommendations here. But if I were you, I would go further. This is what I would suggest.

• Download and install all updates for your NAS: By doing this, you increase the level of your security posture by ensuring that any known vulnerabilities are addressed. I say known vulnerabilities because threat actors are looking to exploit unknown ones for as long as they can. Thus this is not a perfect solution. But it does reduce your attack surface significantly which is a good thing.
• If you must for whatever reason access your NAS remotely, disable the admin account: Having remote access on a NAS and a live admin account are completely incompatible. You should have one or the other and not both at the same time as having a live admin account on an Internet facing NAS is just asking for trouble.
• Disable uPnP on your router: I suggest this because even if you don’t have your NAS exposed to the Internet, if you have uPnP enabled, you have it exposed to the Internet. And the security issues with uPnP make that a very obvious attack vector for hackers. I wrote about those risks here if you want to go down the rabbit hole. And even if you don’t have a QNAP NAS, you should turn off uPnP anyway to maintain your security posture.
• Disable uPnP on your NAS: This is similar to what I said above. Because even if you have it disabled on your router, having it live on your NAS could potentially cause you to get pwned. Thus you should dig through your network settings and disable uPnP on your NAS.
• Use strong passwords: In 2022 I really shouldn’t have to be saying this. But based on the number of times I have done a security assessment of a client and found the company name, the company phone number or even the word “password” as the password for some critical service or system, I guess I will have to say this one more time. Use strong passwords to may the threat actor’s job harder than trying to brute force their way into something via a dictionary attack or just outright taking a few guesses. Microsoft has tips on how to do that here.
• Disable SSH and Telnet: If you don’t know what SSH and Telnet are, and you don’t have a real use case for running them, you shouldn’t be running them as having a NAS exposed to the Internet with SSH and Telnet enabled is like asking to be pwned. And the scary thing is that both Telnet and SSH are often enabled by default. Thus disable them ASAP to improve your security posture.
• Back up your NAS: If your NAS is not backed up, then anything from a hard drive failure to ransomware will cost you your data. Use an external hard drive, back up to a cloud service. Whatever you do, please back up your data. That way if the worst happens, you still have your data.

These tips are not only for QNAP NAS users, but all NAS users. Because with threats like DeadBolt out there, you need to do everything possible to protect yourself. Do you have any other tips that you’d like to share? If so, post them in the comments below.

Yesterday, I wrote about QNAP’s latest security issue with DeadBolt ransomware. And I highlighted that by my count that I’ve written about this 8 times this year which is insane. But after I wrote that article, I thought about this and wondered if this is all QNAP’s fault. Or if there’s more to it than that. Which is where this article came from. In short, I believe that while QNAP shoulders a lot of blame, users (including myself to a degree) have to shoulder some blame as well. Let me explain by starting with QNAP.

There’s clearly something wrong with QNAP in terms of the quality of their code, the QA practices, their ability to find security issues, or something else for them to repeatedly be targets of DeadBolt. After all a ransomware gang wants to have access to the largest amount of targets possible to maximize their chances of making money. Thus if other NAS vendors had issues, you would see those vendors being affected by DeadBolt. But outside of one instance where ASUS users being a target of DeadBolt, and one instance of Terramaster users being hit by DeadBolt, I haven’t heard about DeadBolt from other vendors of NAS products. Now to be clear, other types of ransomware have hit other NAS vendors, but nothing on the scale of what is happening to QNAP. Thus QNAP really needs to get its house in order or potential customers are going to simply look elsewhere for the next NAS as clearly their products will not be seen as secure.

On the flip side, there are two things for a threat actor like whomever is behind DeadBolt to take advantage of in a QNAP NAS for the threat actor to pwn the NAS:

• A vulnerability that they can exploit
• The opportunity to do so.

Let’s start with the vulnerability part of this. I religiously update my NAS to whatever the latest firmware is within a day of it being available. I do that because I want to make sure that I am not leaving myself open to getting pwned by hackers as they will often reverse engineer what a vulnerability might be based on what the fix is in the current firmware. Thus giving themselves an attack vector in earlier versions of firmware. Now everybody isn’t yours truly, and you may put off updating the firmware in your NAS (never mind an Android update, or Windows update) until days or weeks or months later. Or you may never do it at all. That leaves you wide open to attack and that I have to say is on you if you get pwned.

Now let’s look at the opportunity part of this. DeadBolt as far as I am aware can only attack your NAS if you have the NAS exposed to the Internet. If you expose anything to the Internet, you are risking a threat actor taking the opportunity to pwn it. I say that because even if you have updated all the things on the NAS, there’s still the possibility that a flaw that exists that nobody knows about. Which means that if the threat actor finds it before one of the good guys finds it, the threat actor wins and you get pwned. And that’s on you for exposing the NAS to the broader Internet. In my case, I expose nothing to the Internet. And that includes my NAS which reduces the odds of this happening to me significantly. You’ll note that I said reduces and not the word “eliminate”. Because it is always possible for anyone, anywhere to get pwned by hackers. But the idea is that you don’t want to make it easy for them by exposing anything from a smart light bulb to a NAS to the broader Internet.

Now I do know that many people out there will say that they have a legitimate need to have their NAS exposed to the Internet. But here’s what I would say about that. If my clients say that they have a need to expose a NAS which may contain personal or business related files to the Internet, I would counter with why their need doesn’t outweigh the security or the potential loss of theft of those files. Not to mention the possibly of ransomware or a threat actor using that NAS to get to their broader network. And not one of my clients has disagreed when this was highlighted to them. Because they understand that security must always come ahead of doing something that is easy and quick.

There’s one other thing that I should point out. If you don’t back up your NAS to another location, be it another NAS, a cloud service, a hard drive, it makes a potential attack more effective as you’ve got no plan “b”. Or put another way, say that your NAS was pwned by ransomware. If you had a backup you could easily say “well that sucks”. Then you could factory reset the NAS which would likely remove the ransomware, set it up again, and restore your backup and move on with your life. All without paying the threat actors a cent. If enough people did that, the people behind DeadBolt and other types of ransomware would be out of business tomorrow because they wouldn’t have the opportunity to profit from their attacks.

Now I know that what I’ve just said above has the potential of opening me up to being lit up like a Christmas tree in a bonfire. And I am fine with that as I am calling it as I see it. But what are your thoughts? Drop a comment below and share them, but please keep it civil.

From the “this is sounding like a broken record” department comes this latest warning from NAS company QNAP. The company apparently has fixed an issue that opened the door to the DeadBolt ransomware that has been plaguing the company for over a year at this point. In the security advisory that was published over the weekend, users need to update to the latest version of QNAP’s Photo Station software to mitigate the threat. Plus the security advisory also has tips to further mitigate the threat that DeadBolt poses. Which amount to not exposing your NAS to the Internet and making sure that all the software on the NAS is up to date.

Now the reason why I started this post with “this is sounding like a broken record” is that I have posted about DeadBolt attacks on QNAP NAS devices here, here, here, here, here, here, here and here. And that was within this calendar year. The only other company that I have heard that has had issues with DeadBolt is ASUS. I am not hearing about this from any other NAS vendor which is only reinforcing my desire to move to another NAS. Because I don’t expose my NAS to the Internet, this isn’t a today problem. But clearly QNAP have some serious security issues that they simply set to be unable to solve. Which means since I take my security very seriously, I should be on some other NAS product unless QNAP give me a very compelling reason to stick with them. And constant disclosures of issues with DeadBolt isn’t a compelling reason to stick with them.

QNAP cannot catch a break. Either that or the security of their NAS devices is so bad that it is easy threat actors to target the users of their NAS devices. Either way, there’s a new strain of ransomware that QNAP is warning users about:

A new ransomware known as Checkmate has recently been brought to our attention. Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” in each folder.

We are thoroughly investigating the case and will provide further information as soon as possible.

The way I read the warning, the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks. Thus the easy way to protect yourself is to not expose your NAS to the Internet and to up your password game. But the question has to be asked. Why is it that QNAP devices are always the targets of these attacks? I don’t hear about this sort of thing from any other NAS vendors with the exception of Asustor perhaps. It continues to illustrate to me that QNAP needs to seriously up its security game because at the moment they’re clearly not meeting the mark.

Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:

A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. 

For CVE-2019-11043, there are some prerequisites that need to be met, which are:

1. nginx is running, and
2. php-fpm is running.

As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.

So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.

The issues with QNAP NAS devices related to ransomware continue as there is a brand new warning from the company about the re-emergence of DeadBolt Ransomware:

QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x.

We are thoroughly investigating the case and will provide further information as soon as possible.

The warning also includes advice as to how to secure your QNAP NAS from getting pwned. But QNAP has more ransomware variants to worry about. BleepingComputer is reporting that eCh0raix ransomware is a new concern for them:

This week, ech0raix ransomware has started targeting vulnerable QNAP Network Attached Storage (NAS) devices again, according to user reports and sample submissions on the ID Ransomware platform.

ech0raix (also known as QNAPCrypt) had hit QNAP customers in multiple large-scale waves starting with the summer of 2019 when the attackers brute-forced their way into Internet-exposed NAS devices.

Since then, several other campaigns have been detected and reported by this ransomware strain’s victims, in June 2020, in May 2020, and a massive surge of attacks targeting devices with weak passwords that started in mid-December 2021 (right before Christmas) and slowly subsided towards early February 2022.

A new surge of ech0raix attacks has now been confirmed by a quickly increasing number of ID Ransomware submissions and users reporting being hit in the BleepingComputer forums [1, 2], with the earliest hit recorded on June 8.

Now one thing that this ransomware attack has highlighted is that this ransomware has hit Synology NAS devices in the past. But clearly QNAP is the main target here as those NAS devices keep getting hit. That suggests to me that either Synology has improved the security of their NAS devices to stop this from happening, or QNAP’s needs to seriously up its game as they might be lacking in that area. Either way, this is more bad news for QNAP owners. Myself included.

QNAP put out a warning yesterday alerting users to secure their devices against attacks pushing the now notorious DeadBolt ransomware which has gone after both QNAP and ASUS NAS devices in the past. The warning from QNAP asks users to do the following:

• Update the NAS device to the latest software version
• Ensure that the NAS is not exposed to remote access over the Internet
• Disable the Port Forwarding function of the router
• Disable the UPnP function of the QNAP NAS. Though for bonus points, I would also disable UPnP on the router as that’s a huge security risk.
• Turn off SSH and Telnet connections
• Change the system port number
• Change device passwords
• Enable IP and account access protection

While I applaud QNAP for getting this out there, I have to wonder why QNAP and ASUS seem to be the only companies who are vulnerable to DeadBolt. I don’t hear about this with other NAS vendors, so it’s not only a question worth asking, but it’s also worth considering switching to a NAS that doesn’t have these issues.

QNAP is a company that is under some degree of pressure thanks to a string of ransomware attacks that led to perhaps thousands of Internet facing NAS devices getting pwned by threat actors. And it didn’t help that they force fed updates to users of their NAS devices that caused various degrees of havoc. Though they later told users to update their firmware to avoid getting pwned. Though there were suggestions that you might be pwned regardless.

That brings us to the present day and QNAP is announcing that they are extending security updates to products that are end of life:

The extended end date of Technical Support and Security Updates applies as below:

The support for EOL models will be limited to high or critical security updates until the end of Technical Support and Security Updates date. For users to protect data from security threats growing along with the technology, QNAP recommends that users do not connect the EOL device to the internet while following the advice in “What is the best practice for enhancing NAS security?”.

Please visit www.qnap.com/go/product/status to see the end date on the “Technical Support and Security Updates” column for each EOL model.

The company admits that this is a “special effort to help users protect their devices from today’s security threats”. Which is likely true. But it also is likely an attempt to keep people like yours truly from dumping their QNAP NAS devices and moving to competing brands such as Synology as I don’t hear about such widespread pwnage with those devices, or other devices that QNAP competes against. Perhaps QNAP would be better served by bringing in some help to get to the bottom of why their NAS devices keep getting pwned so often? And then sharing that with anyone who will listen? Just a thought.

You might recall that I wrote about unknown threat actors targeting Internet exposed QNAP devices with ransomware. And that QNAP was force feeding updates to users to try and address this. This story continues with a press release being put out by QNAP yesterday which says among other things, this:

Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack. On January 27, 2022, QNAP set the patched versions of system software as “Recommended Version”. If auto update for “Recommended Version” is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTS hero h4.5.4.1892 build 20211223 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

But here’s where this may not be the case. A customer said in the QNAP forum that they were pwned even when they had the recommended firmware version installed. That implies that the threat actors are likely exploiting a different vulnerability that QNAP is either not aware of, or haven’t patched, or both. Which is bad news for QNAP users.

In my case since I own a QNAP NAS, I am looking at QNAP’s main rival Synology to see which one of their products is right for me. At this point it’s pretty clear that there are some serious security issues with QNAP products that don’t seem to be going away. Thus in the interest of being safe and secure, I will have to dump their products. And I suspect that other QNAP users may feel the same way because this crisis for QNAP simply isn’t going away.