QNAP: DeadBolt Ransomware Takes Advantage of Flaw Fixed in December

QNAP: DeadBolt Ransomware Takes Advantage of Flaw Fixed in December

QNAP, Taiwanese network-attached storage (NAS) manufacturer, advises users to set firmware auto-update on their devices to guard against active cyberattacks. According to the firm, the attackers are after a weakness fixed in December and allow them to run arbitrary code on affected computers.

“Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminal are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack,” as said by the NAS maker.

“On January 27, 2022, QNAP set the patched versions of system software as ‘Recommended Version.’ If auto update for ‘Recommended Version’ is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.”

More information about the Auto Update feature and the way it can be toggled on or off is available in this press release

While the business did not reveal the threat actors behind the continuing attacks, the warning follows a wave of DeadBolt ransomware attacks that targeted Internet-connected QNAP equipment and demanded victims pay 0.03 bitcoins (about $1,100) for a decryption key. It was subsequently found that QNAP forced installed the update needed to prevent attackers from exploiting the QSA-21-57 issue after thousands of customers’ data were encrypted in DeadBolt attacks.

QNAP stated that they compelled this update to be deployed because they think threat actors are exploiting the remote code execution vulnerability patched in firmware version and described in the latest statement. According to QNAP, the security flaw has been fixed in the following versions of QTS and QuTS hero:

  • QTS build 20211221 and later
  • QTS build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

However, a client reported on the QNAP forum that they were encrypted even with this firmware version loaded, implying that the threat actors are most likely leveraging a separate vulnerability. In the previous 12 months, QNAP has sent three ransomware alerts to clients with Internet-connected NAS systems, including the DeadBolt ransomware alert.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.