Article Details
Scrape Timestamp (UTC): 2023-10-23 12:03:19.154
Original Article Text
Click to Toggle View
QNAP takes down server behind widespread brute-force attacks. QNAP took down a malicious server used in widespread brute-force attacks targeting Internet-exposed NAS (network-attached storage) devices with weak passwords. The Taiwanese hardware vendor detected the attacks on the evening of October 14 and, with assistance from Digital Ocean, took down the command-and-control server (used to control a botnet of hundreds of infected systems) within two days. "The QNAP Product Security Incident Response Team (QNAP PSIRT) swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack," the company said. "Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further." QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks. It also provides detailed instructions on how to implement defensive measures in its security guide: "This attack occurred over the weekend, and QNAP promptly identified it through cloud technology, quickly pinpointing the source of the attack and blocking it," said Stanley Huang, the head of QNAP PSIRT, last week. "This not only assisted QNAP NAS users in avoiding harm but also protected other storage users from being affected by this wave of attacks." The company regularly warns its customers to be cautious of brute-force attacks against QNAP NAS devices that are exposed online, as these attacks frequently result in ransomware attacks [1, 2, 3]. Cybercriminals frequently target NAS devices, aiming to steal or encrypt valuable documents or install information-stealing malware. These devices are often used for backing up and sharing sensitive files, making them valuable targets for malicious actors. Recent attacks targeting QNAP devices include DeadBolt, Checkmate, and eCh0raix ransomware campaigns abusing security vulnerabilities to encrypt data on Internet-exposed NAS devices. Synology, another Taiwanese NAS maker, also warned customers in August 2021 that their network-attached storage devices were being targeted by the StealthWorker botnet in ongoing brute-force attacks that could lead to ransomware infections.
Daily Brief Summary
Taiwanese hardware manufacturer QNAP took down a rogue server used in broad brute-force attacks against network-attached storage (NAS) devices.
QNAP's Product Security Incident Response Team (PSIRT) worked with cloud service provider Digital Ocean to detect and block the command-and-control server within 48 hours.
QNAP successfully blocked hundreds of affected network IP addresses in just seven hours, protecting many internet-exposed QNAP NAS devices from further attacks.
The company is urging its customers to secure their NAS devices by changing default access ports, deactivating port forwarding and UPnP, employing strong passwords, implementing password policies, and deactivating the admin account.
Cybercriminals often target NAS devices in an attempt to steal or encrypt valuable information or to plant information-stealing malware.
QNAP has been targeted in recent attacks like the DeadBolt, Checkmate, and eCh0raix ransomware campaigns, which have exploited security vulnerabilities to encrypt data.
Another Taiwanese NAS manufacturer, Synology, also warned its customers about ongoing brute-force attacks from the StealthWorker botnet, which could potentially lead to ransomware infections.