Nicholas Zahansky
July 1, 2022
On May 19th. 2022, QNAP, a company known for making NAS hardware and software solutions, posted a product security news update indicating users to take immediate action to update their servers. The post states that a new attack by the Deadbolt ransomware has been detected and that the attack targets devices using QTS
According to an article by Bleeping Computer, this is not the first vulnerability to come to light this year (Gatlan, 2022). In early January 2022, QNAP posted a similar update on their product security news feed. QNAP states that both ransomware and brute force attacks were targeting all network devices and those most vulnerable were directly exposed to the internet.
QNAP provides a brief description on how you can check to see if your NAS device is exposed to the internet (QNAP, 2022, January 26) by opening the security counselor on your QNAP NAS. If your device is exposed to the internet, they recommend disabling port forwarding settings for the NAS management service port (8080 and 443 by default). They next instruct to disable UPnP Port forwarding by going to your myQNAPcloud on the QTS menu clicking on “Auto Router Configuration” and unselecting “Enable UPnP Port forwarding”.
In a report by Stephen Hilt, Éireann Leverett, Fernando Mercês on Trend Micro (2022) the Deadbolt ransomware doesn’t just target QNAP devices but, is also capable of targeting Asustor NAS devices. It uses a configuration file to dynamically choose settings depending on the target. This is an interesting development and brings to mind what other vendors might be targeted in the future. The report also states that there are two types of payment schemes. One in which the victim pays for a decryption key and another where the vendor pays for a master key to unlock all victim data. However, it is not yet confirmed if a master key is even theoretically possible. If the master key is possible and vendors are shelling out bitcoin, the mode of payment for this type of ransomware, then it is likely the attackers will adapt attacks that target a wider range of devices. The report does highlight however, that only 8% of victims have paid the ransom amount.
Gatlan, S. (2022, May 19). QNAP alerts Nas customers of New Deadbolt ransomware attacks. BleepingComputer. Retrieved July 1, 2022, from https://www.bleepingcomputer.com/news/security/qnap-alerts-nas-customers-of-new-deadbolt-ransomware-attacks/ Hilt, S., Leverett, É., & Mercês, F. (2022, June 6). Closing the door deadbolt ransomware locks out vendors with multitiered extortion scheme. Trend Micro. Retrieved July 1, 2022, from https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html QNAP. (2022, January 26). Take immediate actions to stop your nas from exposing to the internet, and update QTS to the latest available version. fight against ransomware together. QNAP Systems, Inc. - Network Attached Storage (NAS). Retrieved July 1, 2022, from https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-update-qts-to-the-latest-available-version-fight-against-ransomware-together QNAP. (2022, May 19). Take immediate actions to secure QNAP nas, and update QTS to the latest available version. QNAP Systems, Inc. - Network Attached Storage (NAS). Retrieved July 1, 2022, from https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-secure-qnap-nas-and-update-qts-to-the-latest-available-version