With the UK’s first free cyber incident response helpline having supported 100 enquiries since it was launched in 2020, the Scottish Business Resilience Centre (SBRC)…
QNAP Network Attached Storage (NAS) devices are a particular product that a number of ransomware operators are currently targeting. Previous strains have included QLocker and ech0raix, the latter was infecting systems just as recently as December 2021.
The current strain that has been actively infecting systems recently is named DeadBolt. It is particularly severe given that it was reported that infections were caused through exploitation of a zero day.
These systems are unlikely to be used in enterprise environments and instead, used by small businesses, sole contractors and in some cases, personal use. Also, owners of systems may not necessarily operate within the IT sector. QNAP NAS systems are commonly exposed to the Internet via port forwarding rules configured on ISP provided equipment.
If you own a QNAP NAS system, we recommend ensuring the following actions are taken:
- Disable port forwarding: Individuals will commonly configure a rule on their perimeter firewall (this can simply be ISP provided equipment) to allow traffic to the Internet to their NAS, which is extremely risky. We recommend systems are only exposed to trusted systems if Internet access is required
- Disable UPnP: This is a feature that allows a system to automatically configure port forwarding for itself (allowing Internet originating traffic)
There are also reports that QNAP forced systems to update to 22.214.171.1241 build 20211221 even when automatic updates were disabled. However, our research has identified that there are still a substantial number of systems in Scotland running older versions, which do not appear to have benefitted from this approach.
The latest available version of firmware available is 126.96.36.1991 build 20211221 at the time of writing. However, there are reports that a user has confirmed that a DeadBolt infection occurred despite updating to this version, though it is not known whether the system was compromised prior to the update and the encryption tooling detonated later and to date, QNAP have not commented on this case specifically.
We recommend that ingress access to the system from the Internet is removed, rather than rely solely on patching. This will help prevent the system from being exploited, in the event other vulnerabilities are discovered in future.
If you have been impacted by ransomware, or require assistance, please contact 01786 437 472 for additional support. We also recommend contacting Police Scotland on 101 if impacted, even if the ransom has been paid.
QNAP Vendor Specific Guidance: