Quick and easy network hardware installation is rarely the best way to manage risk. Users of popular network storage devices know that direct access to the Internet to their classified information, the information needed for doing business, is not a good idea, as Deadbolt points out. .
Deadbolt, a rangsomware that appeared in January 2022, targets the NAS products of the Taiwanese company QNAP (Quality Network Equipment Provider), because they are close 53% of the market share of organized systems. Although ASUSTOR NAS devices have also been attacked, this article focuses on the first target.
Although this is a look at a set of devices that have been deployed, what we review here is a tutorial on how to implement critical information assets, including IoT and IIoT devices.
See Also: How to protect against the new worm-like Ryuk Ransomware powers
What is QNAP NAS?
QNAP NAS (Network Attached Storage) devices for small/home offices, small businesses, and some medium businesses are inexpensive, easy to set up, and often easily accessible by malicious actors. While storage area networks (SANs) contain an organization’s databases, NAS storage contains Word documents, Excel spreadsheets, and other files that hold data across multiple classifications.
Written by Paul Ducklin these NAS boxes are “… small, preconfigured servers that typically run Linux.” For a small business or home that installs a QNAP NAS, the customer simply connects to their router, UPnP can be connected and available. Larger organizations may require a more sophisticated configuration for wired access, but this quick and easy implementation approach is a simple way to get the first internet access to NAS devices.
Externally facing UPnP challenges
UPnP, known to many security experts and threat actors as PWN world and game, is a set of protocols that allow a device on a network to discover other devices, and meetings can be set up with those devices without authentication.
The purpose behind UPnP was initially to provide home office and home users with an easy way to connect new devices to their internal networks. It is never intended to be used in an enterprise network environment and should not be used to enable remote access.
What makes it easy to set up QNAP NAS devices is the presence of UPnP enabled on the network router and the devices to be connected. The router uses UPnP to identify available UPnP-enabled devices and add them to its port-forwarding strength It is important to remember; If a malicious actor can communicate with a device via UPnP, he may be able to use all the defined services or reconfigure the device settings.
Once a device is recognized by a router, the router configures the port map for the services offered by the device. When UPnP port forwarding is enabled on the wireless router, as shown in Figure 2, an external entity is sent to the router’s public-facing interface, with port number 55536, and sent to the QNAP NAS at 192.168.1.32. Typically, the NAS is directly connected to the internet, with known or unknown vulnerabilities.
See Also: Why RagnarLocker remains a major threat to critical infrastructures
The QNAP Attack
When malicious actors gain access to a QNAP device, they use existing system and service vulnerabilities to install and process their payment accounts. Over the past year, they have exploited various vulnerabilities that QNAP has exploited. The latest attack on September 22 exposed an unknown vulnerability in Photo Station which was fixed by QNAP within 12 hours.
The problem is not just UPnP. It is also meant to expose internal network devices to the public internet in any way.
Stephen Hilt, Éireann Leverett, and Fernando Mercês of Trend Micro provide a smooth ride about how Deadbolt infected vulnerable QNAP devices in June 2022. The attack method used in September was the same, but different software vulnerabilities were used. Hilt et al. provide the following high-level view:
- Deadbolt uses a configuration file that selects specific settings based on the client it targets, and is highly adaptable to new programs across multiple clients.
- There are two payment methods used by hostile actors; the victim pays for a decryption key, or the NAS vendor pays for a decryption master key, a master key that supposedly unlocks all affected vendor NAS devices. So far, neither QNAP nor ASUSTOR has sold a motherboard worth more than $1 million.
- The key to unlocking an individual customer’s device is around $1,200, a price less than 10% of victims choose to pay.
It’s interesting thread on Reddit where affected users will discuss paying for keys for the June 2022 attack and how to do it. It also appears that one of the fixes QNAP made to their system broke the use of the decryption keys released after the June payments. However, QNAP offers it detailed instructions for managing this problem, the instructions are not for the uninitiated. The keys to the September attacks may not be affected.
Protection begins by not exposing storage devices to the public internet. This is an important security requirement that most users do not know, or if they do, they do not realize that they have opened an open hole in the perimeter wall. For QNAP services, QNAP provides security configuration instructions, including blocking port forwarding. But consumers need to pay attention to consumer safety tips.
QNAP provides cloud services, myQNAPcloudprovides a safe way to access their NAS solutions, including an easy way to configure routers for external access, minimal power management, and providing multi-factor authentication. The most secure aspect of this configuration is removing real internet access to all of the customer’s NAS devices.
Setting up myQNAPcloud is an essential part of QNAP’s recommended way to secure NAS access:
- Disable port forwarding on the router
- Install myQNAPcloud on the NAS to enable remote access and prevent access to the public internet
- Update the NAS firmware to the latest version [while ensuring reasonable and appropriate supply chain risk management]
- Update all applications on the NAS to their latest versions
- Provide strong authentication for all NAS user accounts
- Take snapshots and back them up regularly to protect your data
Another protection to add to this list is to change the default port numbers for NAS services. This doesn’t really reduce the risk, but it’s easy to do and adds frustration to the actor’s performance.
This is a story about what happens when storage is made available to the public internet through a very risky method like port forwarding. Port forwarding has value, but should never allow direct access to data.
Organizations and individuals must have a layer of protection between data storage and those who want to access it, whether from an internal network or remotely. Applications that allow for limited access, strong authentication, logging and monitoring are the best way to build this layer. If NAS has another storage provider, use it. If not, create one. If none of these are options, find another vendor.
Let us know if you enjoyed reading this article LinkedIn, Twitteror Facebook. We would love to hear from you!
Image source: Shutterstock