Archive for QNAP

For QNAP, The Hits Keep Coming As Yet Another Security Issue Disclosed

Posted in Commentary with tags on June 23, 2022 by itnerd

Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:

A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. 

For CVE-2019-11043, there are some prerequisites that need to be met, which are:

  1. nginx is running, and
  2. php-fpm is running.

As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.

So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.

QNAP Again Warning Of DeadBolt Ransoware Attacks… And That’s Not The Only Ransomware Attacking QNAP Devices

Posted in Commentary with tags on June 19, 2022 by itnerd

The issues with QNAP NAS devices related to ransomware continue as there is a brand new warning from the company about the re-emergence of DeadBolt Ransomware:

QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x.

We are thoroughly investigating the case and will provide further information as soon as possible.

The warning also includes advice as to how to secure your QNAP NAS from getting pwned. But QNAP has more ransomware variants to worry about. BleepingComputer is reporting that eCh0raix ransomware is a new concern for them:

This week, ech0raix ransomware has started targeting vulnerable QNAP Network Attached Storage (NAS) devices again, according to user reports and sample submissions on the ID Ransomware platform.

ech0raix (also known as QNAPCrypt) had hit QNAP customers in multiple large-scale waves starting with the summer of 2019 when the attackers brute-forced their way into Internet-exposed NAS devices.

Since then, several other campaigns have been detected and reported by this ransomware strain’s victims, in June 2020, in May 2020, and a massive surge of attacks targeting devices with weak passwords that started in mid-December 2021 (right before Christmas) and slowly subsided towards early February 2022.

A new surge of ech0raix attacks has now been confirmed by a quickly increasing number of ID Ransomware submissions and users reporting being hit in the BleepingComputer forums [12], with the earliest hit recorded on June 8.

Now one thing that this ransomware attack has highlighted is that this ransomware has hit Synology NAS devices in the past. But clearly QNAP is the main target here as those NAS devices keep getting hit. That suggests to me that either Synology has improved the security of their NAS devices to stop this from happening, or QNAP’s needs to seriously up its game as they might be lacking in that area. Either way, this is more bad news for QNAP owners. Myself included.

DeadBolt Is Back To Attack QNAP NAS Devices

Posted in Commentary with tags on May 20, 2022 by itnerd

QNAP put out a warning yesterday alerting users to secure their devices against attacks pushing the now notorious DeadBolt ransomware which has gone after both QNAP and ASUS NAS devices in the past. The warning from QNAP asks users to do the following:

  • Update the NAS device to the latest software version
  • Ensure that the NAS is not exposed to remote access over the Internet
  • Disable the Port Forwarding function of the router
  • Disable the UPnP function of the QNAP NAS. Though for bonus points, I would also disable UPnP on the router as that’s a huge security risk.
  • Turn off SSH and Telnet connections
  • Change the system port number
  • Change device passwords
  • Enable IP and account access protection

While I applaud QNAP for getting this out there, I have to wonder why QNAP and ASUS seem to be the only companies who are vulnerable to DeadBolt. I don’t hear about this with other NAS vendors, so it’s not only a question worth asking, but it’s also worth considering switching to a NAS that doesn’t have these issues.

Palo Alto Networks Warn Users Of Their Gear Of “Infinite Loop” Bug

Posted in Commentary with tags , on April 7, 2022 by itnerd

Bleeping Computer has reported that Palo Alto Networks has warned customers that some of its firewall, VPN and XDR products are vulnerable to a high severity OpenSSL infinite loop bug which was disclosed three weeks ago. The vulnerability, if exploited, can trigger a DoS attack and can remotely crash devices running unpatched software. 

Darren Williams, CEO, BlackFog had this to say:

“Attacks on VPN’s and other services such as SSL continue to be great targets for cyber criminals. The rewards are huge with access to unlimited data from corporations that use these services and tunnel their data through a third party. VPN’s were never designed to be security solutions, but a means to connect to corporate networks. Organizations should be focused on next generation cybersecurity solutions that operate on the device itself and protect the data exfiltration from the device. Perimeter defense techniques while important, are just part of the overall design of modern cybersecurity.”

I should also note that the infinite loop bug also affects QNAP NAS devices. Thus owners of those NAS devices should follow the advice in this note from QNAP on this issue and patch their devices when patches become available.

QNAP Extends Security Updates To EOL Devices To Head Off More Ransoware Attacks… Or To Keep Customers From Dumping Them

Posted in Commentary with tags on February 17, 2022 by itnerd

QNAP is a company that is under some degree of pressure thanks to a string of ransomware attacks that led to perhaps thousands of Internet facing NAS devices getting pwned by threat actors. And it didn’t help that they force fed updates to users of their NAS devices that caused various degrees of havoc. Though they later told users to update their firmware to avoid getting pwned. Though there were suggestions that you might be pwned regardless.

That brings us to the present day and QNAP is announcing that they are extending security updates to products that are end of life:

The extended end date of Technical Support and Security Updates applies as below:

CPU ArchitectureLast Supported NAS OS Version for the ModelExtended Date
x86 64-bit models
or ARM models that support one of the NAS OS versions on the right.
QTS 4.2.6
QTS 4.3.3
QTS 4.3.6
QTS 4.4.1
Effectively till October 2022

The support for EOL models will be limited to high or critical security updates until the end of Technical Support and Security Updates date. For users to protect data from security threats growing along with the technology, QNAP recommends that users do not connect the EOL device to the internet while following the advice in “What is the best practice for enhancing NAS security?”.

Please visit www.qnap.com/go/product/status to see the end date on the “Technical Support and Security Updates” column for each EOL model.

The company admits that this is a “special effort to help users protect their devices from today’s security threats”. Which is likely true. But it also is likely an attempt to keep people like yours truly from dumping their QNAP NAS devices and moving to competing brands such as Synology as I don’t hear about such widespread pwnage with those devices, or other devices that QNAP competes against. Perhaps QNAP would be better served by bringing in some help to get to the bottom of why their NAS devices keep getting pwned so often? And then sharing that with anyone who will listen? Just a thought.

QNAP Says To Update The Firmware On Your NAS To Avoid Being Pwned…. But Some People Claim To Be Pwned Even If They Do Update The Firmware

Posted in Commentary with tags on February 2, 2022 by itnerd

You might recall that I wrote about unknown threat actors targeting Internet exposed QNAP devices with ransomware. And that QNAP was force feeding updates to users to try and address this. This story continues with a press release being put out by QNAP yesterday which says among other things, this:

Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack. On January 27, 2022, QNAP set the patched versions of system software as “Recommended Version”. If auto update for “Recommended Version” is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

  • QTS 5.0.0.1891 build 20211221 and later
  • QTS 4.5.4.1892 build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

But here’s where this may not be the case. A customer said in the QNAP forum that they were pwned even when they had the recommended firmware version installed. That implies that the threat actors are likely exploiting a different vulnerability that QNAP is either not aware of, or haven’t patched, or both. Which is bad news for QNAP users.

In my case since I own a QNAP NAS, I am looking at QNAP’s main rival Synology to see which one of their products is right for me. At this point it’s pretty clear that there are some serious security issues with QNAP products that don’t seem to be going away. Thus in the interest of being safe and secure, I will have to dump their products. And I suspect that other QNAP users may feel the same way because this crisis for QNAP simply isn’t going away.

DeadBolt Ransomware Targets QNAP Devices In The Latest Ransomware Attack On QNAP Devices

Posted in Commentary with tags , on January 26, 2022 by itnerd

If you own a QNAP NAS like I do, you’ve likely seen reports of various ransomware attacks on these devices over the last few months. The latest of these attacks is the DeadBolt ransomware which started to appear yesterday. It claims to leverage a zero day exploit and encrypts all your files unless you pay 0.03 bitcoins (approximately $1,100 USD). But as usual, paying the ransom will not guarantee that you get your files back.

One thing that’s unique about this latest ransomware strain is that the threat actors are also targeting QNAP:

On the main ransom note screen, there is a link titled “important message for QNAP,” that when clicked, will display a message from the DeadBolt gang specifically for QNAP.

On this screen, the DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000.

They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.

“Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8,” the threat actors wrote in a message to QNAP.

“You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com.”

That’s novel.

This follows other ransomware attacks on QNAP devices. Specifically Qlocker and eCh0raix which have been around for a while. All of these ransomware strains have one thing in common. They target Internet exposed QNAP NAS devices. Thus your first course of action needs to be to take your QNAP NAS off the Internet and stick it behind a firewall. These instructions can help you with that. Your next course of action is to follow these instructions which have suggestions from QNAP as to securing your NAS. Now in my case, my NAS isn’t exposed to the Internet. In fact it never has been as I’ve always considered that to be a massive security risk. I also run QNAP’s Malware Remover to add an extra level of security.

But that doesn’t change the fact that QNAP clearly has some serious security issues that allow these ransomware attacks to take place as I don’t hear about similar attacks from other NAS vendors. Thus it would make sense for me to consider purchasing another brand of NAS as clearly QNAP NAS devices have some extremely serious security issues that clearly haven’t been addressed. Which means that QNAP really needs to step up their security game or more bad things will happen to them. Such as lost market share.

Review: QNAP TS-431 NAS With Western Digital 1TB RED NAS Drives

Posted in Commentary with tags , on January 4, 2016 by itnerd

I needed a new NAS box at home. NAS stands for Network Attached Storage by the way and in short it is a box that you plug into your network where you put one or more hard drives into so that everyone on your network can get access to the data stored on said NAS. I had been using a D-Link DNS-323 NAS with 1TB of storage for years. But I needed more storage than that. So I want on a mission to get a NAS box that I could grow into. After some research, I settled on the QNAP TS-431:

IMG_1963.JPG

The QNAP TS-431 is a NAS box that allows you to put four hard drives into it. From there, you can configure them in the following ways:

  • Single Disk: You use one disk and serve it up to those on your network.
  • JBOD: This is where you use multiple hard drives, but not in a RAID configuration, thus providing neither redundancy nor performance improvements. Hard drives may be handled independently as separate logical volumes, or they may be combined into a single logical volume using fancy software tricks. If you go this route (which I wouldn’t except for specific use cases), make sure that your data is always backed up.
  • RAID 0: This is when you take two or more disks and combine them to get large amounts of storage. For example, if you have four 1TB drives, you can use RAID 0 to get 4TB of storage. But if one drive fails, your data is gone. If you go this route (which I wouldn’t except for specific use cases), make sure that your data is always backed up.
  • RAID 1: This consists of an exact copy a set of data on two or more disks. A classic RAID 1 mirrored pair contains two disks. If one drive fails, your data is safe on the other drive.
  • RAID 5: This consists of three or more drives where they are combined to provide a single storage volume. To protect your data, roughly 2/3 of each drive is used for data and roughly 1/3 of each drive is used for what is called parity information which can help to rebuild your data in the event of the failure of a single drive.
  • RAID 6: This extends RAID 5 by adding more parity information to better help rebuild your drive in the event of a failure of a single disk. But you give up storage space in exchange.
  • RAID 10: This is a combination of RAID 0 and 1 with the purpose being to provide additional redundancy.
  • RAID 5 + spare: This is a RAID 5 setup with a spare drive that can step in to automatically replace a failed drive. In a classic RAID 5 setup, a user has to physically swap the drive out and start the recovery process.

This is the sort of data storage and protection options that until the last few years, only big businesses got access to after spending a pile of cash. These days, anyone has access to this level of data storage and protection.

So, in addition to the TS-431, I got my hands on four 1TB Western Digital RED drives. Why these drives? Unlike desktop hard drives, they’re specifically designed to run in a NAS box 24/7. Thus they won’t fail in this use case. My plan was to take all four drive and configure them for RAID 5. That would give me roughly 2.7TB of storage. Installing the drives into the NAS is easy. You have to put the drives into some plastic trays that allow you to remove and replace drive while the NAS is running. Simply get a screwdriver and screw the drives into the trays using the supplied screws.

Setup was kind of interesting. I tried to go to https://start.qnap.com to run through their automated setup. However that turned into a #fail when it tried to go to https://install.qnap.com and came back with an error 502 which is a bad gateway. In short, it couldn’t reach the website that I needed to go to next. So I resorted to plan “B”. I used a piece of software called QNAP Finder which comes in PC and Mac flavors to access and set up the NAS box. I’m glad that I went this route as I was able to configure the NAS exactly the way I wanted it, including the following:

  • This NAS box supports NFS for LINUX, AFP for Mac, and CIFS/SMB for Windows. That’s important as using the right network protocol can affect the speed of your NAS. Since we’re a Mac only home, I turned off everything but AFP.
  • It has two USB ports in the back and one in the front, so I configured one of the rear ones for a USB laser printer and the other for a UPS. The latter was configured to shut down if power goes out for more than 15 minutes, and start back up once power is restored. The former is being shared to all users of the home network.
  • It has two Gigabit Ethernet ports which I configured for Active Backup. Active Backup uses just one adapter, but it switches to the second adapter if the first adapter fails. I plugged one Ethernet cable into my router and one into my 4 port switch. There are other configurations that you can use to maximize speed or redundancy.
  • I had to update to the latest QNAP Turbo NAS System software (version 4.2 build 20151118 in my case) which makes this NAS box easy to manage using a web browser. The TS-431 has an iTunes like app stores where one can download additional “apps” to add functionality. Beyond the included Photo Station, Music Station and Download Station, apps such as Surveillance Station (Network surveillance and video management system) Notes Station (private cloud based notebooks) and Cloud Link (Remote access service) are available. Also available are developer tools such as Python, Perl, phpMyAdmin and Mantis to name a few. To view a complete list of available apps, visit QNAP’s App Center web page.
  • I set it up to notify myself and my wife via e-mail if anything bad happened to the NAS. I could have used push notifications via the QNAP app for iPhone, but I figured that using e-mail was good enough.
  • I turned off the network trash can to get additional storage as this NAS is simply being used to back up all the Macs in the house to and serve up media.

So, once it was set up and I had copied my data over, I got a chance to do some experimenting. Since I have a Roku 3, I tried out a Roku channel called Qmedia which allows you to stream media from your TS-431 to your Roku. Setting it up is dead easy as described here and it works well as long as you have media that the Roku supports. For example, the Roku 3 doesn’t play .avi files. Now the TS-431 does have the ability to transcode media from one format to another. But I’m not taking advantage of that as it cannot do that in real time and this isn’t why I got this NAS box. If real time transcoding is important to you, QNAP makes other NAS boxes that have this ability. Another thing that I should note is that the TS-431 supports DLNA and AirPlay streaming so you can get your media displayed on almost any device. Finally, you can create your own private cloud so that your files are always accessible via the Internet. However, I did not leverage this feature as I want my files to stay behind my firewall.

But the real question is, how does this setup work in terms of speed? Very well in fact. My old NAS took about 4 hours and 25 minutes to do the weekly back up my MacBook Pro. Now it takes 2 hours and 40 minutes. That performance is pretty good. Another note is that this NAS is very quiet which is important for home use.

What’s the price of this setup? I paid $395 CDN for the QNAP TS-431. I also paid $89 CDN for each of the four 1TB Western Digital Red hard drives. That works out to a total of $751 CDN. If you need a NAS box for home use and want to get the same level of data security while being able to serve up media to your devices and so much more, this is a very good option. Check it out at your local computer retailer.