QNAP takes down server behind widespread brute-force attacks

QNAP took down a malicious server used in widespread brute-force attacks targeting Internet-exposed NAS (network-attached storage) devices with weak passwords.

The Taiwanese hardware vendor detected the attacks on the evening of October 14 and, with assistance from Digital Ocean, took down the command-and-control server (used to control a botnet of hundreds of infected systems) within two days.

"The QNAP Product Security Incident Response Team (QNAP PSIRT) swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack," the company said.

"Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further."

QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks.

It also provides detailed instructions on how to implement defensive measures in its security guide:

• Disable the "admin" account (page 30)
• Set strong passwords for all user accounts and avoid using weak passwords (page 34)
• Update QNAP NAS firmware and apps to the latest versions (page 24)
• Install and enable the QuFirewall application (page 46)
• Utilize myQNAPcloud Link's relay service to prevent your NAS from being exposed to the internet. If there are bandwidth requirements or specific applications necessitating port forwarding, you should avoid using the default ports 8080 and 443 (page 39)

"This attack occurred over the weekend, and QNAP promptly identified it through cloud technology, quickly pinpointing the source of the attack and blocking it," said Stanley Huang, the head of QNAP PSIRT, last week.

"This not only assisted QNAP NAS users in avoiding harm but also protected other storage users from being affected by this wave of attacks."

The company regularly warns its customers to be cautious of brute-force attacks against QNAP NAS devices that are exposed online, as these attacks frequently result in ransomware attacks [1, 2, 3].

Cybercriminals frequently target NAS devices, aiming to steal or encrypt valuable documents or install information-stealing malware. These devices are often used for backing up and sharing sensitive files, making them valuable targets for malicious actors.

Recent attacks targeting QNAP devices include DeadBolt, Checkmate, and eCh0raix ransomware campaigns abusing security vulnerabilities to encrypt data on Internet-exposed NAS devices.

Synology, another Taiwanese NAS maker, also warned customers in August 2021 that their network-attached storage devices were being targeted by the StealthWorker botnet in ongoing brute-force attacks that could lead to ransomware infections.

Source