QNAP took down a malicious server used in widespread brute-force attacks targeting Internet-exposed NAS devices with weak passwords. The Taiwanese hardware vendor detected the attacks on the evening of October 14 and, with assistance from Digital Ocean, took down the command-and-control server within two days. "The QNAP Product Security Incident Response Team swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack," the company said. "Within 48 hours, they also successfully identified the source C&C server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further." QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks. "This attack occurred over the weekend, and QNAP promptly identified it through cloud technology, quickly pinpointing the source of the attack and blocking it," said Stanley Huang, the head of QNAP PSIRT, last week. "This not only assisted QNAP NAS users in avoiding harm but also protected other storage users from being affected by this wave of attacks." The company regularly warns its customers to be cautious of brute-force attacks against QNAP NAS devices that are exposed online, as these attacks frequently result in ransomware attacks [1, 2, 3]. Cybercriminals frequently target NAS devices, aiming to steal or encrypt valuable documents or install information-stealing malware. These devices are often used for backing up and sharing sensitive files, making them valuable targets for malicious actors. Recent attacks targeting QNAP devices include DeadBolt, Checkmate, and eCh0raix ransomware campaigns abusing security vulnerabilities to encrypt data on Internet-exposed NAS devices. Synology, another Taiwanese NAS maker, also warned customers in August 2021 that their network-attached storage devices were being targeted by the StealthWorker botnet in ongoing brute-force attacks that could lead to ransomware infections. Can we fix the weaknesses in password-based authentication? Cisco warns of VPN zero-day exploited by ransomware gangs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000