QNAP, Taiwanese network-attached storage (NAS) manufacturer, advises users to set firmware auto-update on their devices to guard against active cyberattacks. According to the firm, the attackers are after a weakness fixed in December and allow them to run arbitrary code on affected computers.
“Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminal are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack,” as said by the NAS maker.
“On January 27, 2022, QNAP set the patched versions of system software as ‘Recommended Version.’ If auto update for ‘Recommended Version’ is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.”
More information about the Auto Update feature and the way it can be toggled on or off is available in this press release.
While the business did not reveal the threat actors behind the continuing attacks, the warning follows a wave of DeadBolt ransomware attacks that targeted Internet-connected QNAP equipment and demanded victims pay 0.03 bitcoins (about $1,100) for a decryption key. It was subsequently found that QNAP forced installed the update needed to prevent attackers from exploiting the QSA-21-57 issue after thousands of customers’ data were encrypted in DeadBolt attacks.
QNAP stated that they compelled this update to be deployed because they think threat actors are exploiting the remote code execution vulnerability patched in firmware version 126.96.36.1991 and described in the latest statement. According to QNAP, the security flaw has been fixed in the following versions of QTS and QuTS hero:
- QTS 188.8.131.521 build 20211221 and later
- QTS 184.108.40.2062 build 20211223 and later
- QuTS hero h220.127.116.112 build 20211222 and later
- QuTS hero h18.104.22.1682 build 20211223 and later
- QuTScloud c22.214.171.1249 build 20220119 and later
However, a client reported on the QNAP forum that they were encrypted even with this firmware version loaded, implying that the threat actors are most likely leveraging a separate vulnerability. In the previous 12 months, QNAP has sent three ransomware alerts to clients with Internet-connected NAS systems, including the DeadBolt ransomware alert.