Tag Archive for: QNAP

InfectedSlurs botnet targets QNAP VioStor NVR vulnerability

/in


InfectedSlurs botnet targets QNAP VioStor NVR vulnerability

Pierluigi Paganini
December 17, 2023

The Mirai-based botnet InfectedSlurs was spotted targeting QNAP VioStor NVR (Network Video Recorder) devices.

In November, Akamai warned of a new Mirai-based DDoS botnet, named InfectedSlurs, actively exploiting two zero-day vulnerabilities to infect routers and video recorder (NVR) devices.

The researchers discovered the botnet in October 2023, but they believe it has been active since at least 2022. The experts reported the two vulnerabilities to the respective vendors, but they plan to release the fixes in December 2023.

At the time, the company did not reveal the names of the impacted vendors, the researchers determined that the bot also used default admin credentials to install the Mirai variants.

A close look at the ongoing campaign revealed that the bot also targets wireless LAN routers built for hotels and residential applications.

On December 6, The Akamai Security Intelligence Response Team (SIRT) published the first update to the InfectedSlurs advisory series. The security firm revealed that threat actors were exploiting a vulnerability, tracked as CVE-2023-49897 (CVSS score 8.0) that impacted several routers, including Future X Communications (FXC) AE1021 and AE1021PE wall routers, running firmware versions 2.0.9 and earlier.

The Akamai SIRT this week published an additional update after one of the affected vendors, QNAP, released advisory information and guidance. 

The experts reported that the InfectedSlurs botnet is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-47565 (CVSS score 8.0), in QNAP VioStor NVR (Network Video Recorder) devices.

The vulnerability affects VioStor NVR Versions 5.0.0 and earlier (5.0.0 released June 21, 2014).

“QNAP considers these devices discontinued for support; however, the vendor recommends upgrading VioStor firmware on existing devices to the latest available version. This issue had previously been patched, although it was never publicly reported/disclosed.” reads the advisory published by Akamai.

The Akamai SIRT discovered that the bot was running an exploit targeting QNAP VioStor NVR devices…

Source…

DeadBolt ransomware takes another shot at QNAP storage • The Register

/in


QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices’ QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor’s users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

Taiwan-based QNAP recommended enterprises whose NAS system have “already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page.”

They should contact QNAP Assistance if they want to input a decryption key given by the attackers but are unable to find the ransom note after upgrading the firmware.

The cybercriminals behind DeadBolt primarily target NAS devices. QNAP systems are the main targets, though in February the group attacked NAS devices from Asustor, a subsidiary of systems maker Asus, said analysts with cybersecurity firm Trend Micro.

QNAP and its customers are examples of a growing interest by cybercriminals in NAS, Trend Micro wrote in a January report. Businesses are relying more on the Internet of Things (IoT) for constant connectivity, workflow continuity and access to data, the analysts said.

“Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on…

Source…

QNAP investigating new Deadbolt ransomware campaign

/in


Taiwanese hardware vendor QNAP said on Friday that it is investigating yet another Deadbolt ransomware campaign targeting users of its network-attached storage (NAS) devices.  

The company did not respond to requests for comment but released an advisory saying it recently detected a new batch of DeadBolt ransomware victims. 

“According to victim reports so far, the campaign appears to target QNAP NAS devices running outdated versions of QTS 4.x. We are thoroughly investigating the case and will provide further information as soon as possible,” the company said.

QNAP urged customers to update their QTS or QuTS hero systems to the latest version as soon as possible. 

For those who have already been compromised, QNAP said they should take a screenshot of the ransom note – in order to keep the Bitcoin address – then “upgrade to the latest firmware version.”

“The built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” QNAP explained. 

“If you want to input a received decryption key and are unable to locate the ransom note after upgrading the firmware, please contact QNAP Support for assistance.”

Almost exactly one month ago, QNAP released a similar warning after several customers reported Deadbolt ransomware infections.

There continues to be significant debate among QNAP NAS users about whether even updated versions of the system are still vulnerable to the ransomware, which emerged in January. It is unclear where members of the Deadbolt ransomware group are based.

In January, dozens of people turned to QNAP message boards and Reddit to say they logged on only to find the Deadbolt ransomware screen. People reported losing decades of photos, videos and irreplaceable files.

Other companies’ devices also have been attacked. Users of Asustor’s NAS…

Source…

QNAP urges customers to disable UPnP port forwarding on routers

/in


QNAP

Taiwanese hardware vendor QNAP urged customers on Monday to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing their network-attached storage (NAS) devices to attacks from the Internet.

UPnP is a set of insecure network protocols with no encryption and authentication that comes with support for peer-to-peer communications between devices.

It also allows them to dynamically join and leave networks, obtain IP addresses, advertise their capabilities, and learn about other UPnP devices on the network and their capabilities.

UPnP Port Forwarding allows network devices to communicate seamlessly and create groups for easier data sharing.

“Hackers can abuse UPnP to attack through malicious files to infect your system and gain control. Despite its convenience, UPnP may expose your device to public networks and malicious attacks,” QNAP said today.

“It is recommended that your QNAP NAS stay behind your router and firewall without a public IP address. You should disable manual port forwarding and UPnP auto port forwarding for QNAP NAS in your router configuration.”

As options for those who need access to NAS devices without direct access to the Internet, QNAP recommends enabling the router’s VPN feature (if available), the myQNAPcloud Link service, and the VPN server on QNAP devices provided by the QVPN Service app or the QuWAN SD-WAN solution.

Internet-exposed NAS devices at risk

QNAP also warned customers in January to secure their NAS devices immediately from active ransomware and brute-force attacks.

The company asked users to check if their NAS is accessible over the Internet and take the following measures to defend them from incoming compromise attempts:

  • Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 433 by default).
  • Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration,” and unselect “Enable UPnP Port forwarding.”

QNAP also provides step-by-step instructions on disabling SSH and Telnet…

Source…