Beware potential ransomware attacks on QNAP NAS products

May 20, 2022

QNAP Systems is urging its users to check and update their network attached storage (NAS) devices to the latest version to avoid exposure to the Deadbolt ransomware. Users should also avoid exposing their NAS to the Internet, the Taiwan-based NAS maker said in the advisory. The affected models include the TS-x51 series and TSA-x53 series.

QNAP NAS devices have been a frequent target of ransomware groups, including the OLocker and ech0raix ransomware, according to Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows. “Much of this activity surrounds the use of Universal Plug and Play (UPnP) protocol, which allows apps and other devices on your network to open and close ports automatically to connect with each other,” he explains. Used for a variety of purposes, UPnP protocol allows the convenience of quickly connecting devices to a network, but at a security cost, Morgan says.

QNAP has clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled. Morgan adds that port forwarding, which also assists users in direct communication requests, should also be disabled. “Other sensible steps for this attack — and other similar ransomware variants — can be achieved simply by ensuring devices are not internet facing and are routinely patched with the most regular updates,” Morgan says.

Deadbolt has targeted QNAP devices since January, forcing QNAP to push an update to its NAS devices to mitigate attacks on its customers. Censys observed 4,988 Deadbolt-infected services out of the 130,000 QNAP devices currently on the internet on January 26. In mid-March, Censys senior security researcher Mark Ellzey said Censys had again observed Deadbolt infections on QNAP slowly starting March 16, with a total of 373 infections that day and 1,146 infected devices by March 19.

This latest vulnerability reinforces two things, says Mike Parkin, Senior Technical Engineer at Vulcan Cyber: stay up to date on your patches and be very cautious about exposing your network storage devices to the open internet. “Fortunately, patches are available, and organizations that followed the previous guidance on mitigating internet exposure are at much lower risk,” Parkin says.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.