Security
Headlines
HeadlinesLatestCVEs

Headline

Roundtable: Amid Cyberattack Frenzy, How Can QNAP Customers Protect the Business?

Our roundtable of cybersecurity experts weighs in on what makes QNAP network-attached storage catnip for attackers, and what organizations can do about it.

DARKReading
#csrf#vulnerability#web#linux#git#intel#rce#auth#ssh

QNAP has had a rough run of it lately on the cybersecurity front, with cybercrime groups continually targeting known vulnerabilities in its network-attached storage (NAS) devices and serious vulnerabilities coming to light several times already in 2022.

QNAP offerings and other NAS options provide centralized, shared file storage that can be accessed by multiple users and client devices on a local area network (LAN). They also offer a popular alternative to cloud backups and storage for smaller companies — and tend to house treasure troves of data.

According to Shodan, there are almost 300,000 QNAP devices directly connected to the Internet. And — to put it simply — attackers appreciate the large population.

Given this, attackers see NAS customers as a golden opportunity, according to a Dark Reading roundtable of security professionals, as evidenced by a bonanza of recent QNAP-related cyberattack activity.

Unpatched QNAP Customers Face Ongoing Cyberattack Frenzy

The multilevel-extortion threat known as the Deadbolt ransomware, in particular, is beating up on QNAP customers. Just last month, for example, the company flagged a new Deadbolt campaign going after its hardware — the second spate of such attacks in the past few weeks.

Other cybercrime groups are also taking aim at vulnerable devices: Earlier this year, QNAP was targeted by a wave of attacks using a new ransomware strain called eCh0raix.

Ransomware gangs are usually looking to exploit known bugs, such as critical flaws disclosed in April in Netatalk that affect QNAP and Synology firmware (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). These, which remain unpatched on certain NAS devices, allow remote code execution (RCE).

Another exploitable (but patched) flaw is a cross-site request forgery (CSRF) vulnerability (CVE-2021-34360) disclosed earlier this year in QNAP NAS devices running Proxy Server, which allows remote code injection.

It’s worth noting that more sophisticated threats have options to pivot deeper into the network at patch-avoiding organizations as well: In March, the Taiwan-based QNAP said that its devices contained the severe Linux kernel vulnerability known as “Dirty Pipe,” which is a privilege-escalation flaw that was deemed serious enough to warrant an alert from the US Cybersecurity and Infrastructure Security Agency (CISA). Of course, QNAP isn’t alone in being vulnerable to that particular bug, but it contributes to the gear’s attractiveness as a target.

In all, CISA has at least 10 QNAP vulnerabilities listed as being actively exploited by adversaries in its Known Exploited Vulnerability (KEV) Catalog.

Dark Reading spoke to a slate of security researchers about why QNAP devices are in the crosshairs of so much cyber-activity, and what companies can do about it.

Why Is QNAP Getting Targeted?

QNAP devices are attractive to cybercriminals for a number of reasons, including the fact that QNAP storage appliances are most often utilized by small to midsize (SMBs) businesses with very small (or non-existent) IT and security teams. This often translates to a lack of manpower for installing patches, among other downsides — creating large pools of devices that are ripe for exploitation.

“Storage devices that can be a core piece of an organization’s operations that are easy to exploit create a perfect storm for ransomware gangs looking to ensure a quick payout to their extortion demands,” says Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

Also, the main mission attackers take on when exploiting vulnerabilities is, most often than not, data gathering. Historically, NAS products have been used by companies who prefer to take the route of an on-premises storage with a need for heavy use and storage capabilities, rather than a third-party handover of sensitive data, according to Brad Hong, customer success lead at Horizon3.ai.

“Since QNAP-branded NAS are quite literally a lateral extension of the organization’s brain, even sometimes serving as the sole disaster-recovery storage, and make up about 54% of the NAS market share, it’s only natural that its OS is a prime target for attackers,” says Hong. “Imagine being able to circumvent all the strenuous steps of the cyber kill chain across every single enterprise, and instead using one key that fits more than half of the industry — effectively, it becomes a single vulnerability that negates all relevant cyber-stacks.”

NAS Appliances a Dangerous Attack Vector — But Patching Lags

The risks to businesses from a successful compromise are myriad, researchers note, especially since by their very nature NAS appliances are often the primary data storage medium or are responsible for housing backups. Thus, successfully encrypting a storage appliance with ransomware can mean that the victim loses not only data, but also the source of backups and thus the ability to recover.

“The successful exploitation of a QNAP device, which often serves simultaneously as the heart and backbone of an organization, is akin to walking right into a HQ and swiping all its data,” Horizon3.ai’s Hong explains.

Roger Grimes, data-driven defense evangelist at KnowBe4, notes that a compromise not only means that the attacker has immediate access to data, but that the threat actor can use the initial exploitation to gain further access to the victim’s logon credentials and broader network environment. Thus, he says, using security fundamentals should be a must-do.

“Basically, if defenders use strong log-on credentials, keep it patched, and follow the vendor’s configuration recommendations, it can be as secure as any other cyber-product,” he notes. “But according to CISA’s KEV reporting, only three of the 10 reported exploited vulnerabilities have occurred since 2020. Most of the exploits are from things fixed by the vendor and patched years ago.”

Cerberus Sentinel’s Clements points out that appliances in general can also often lag significantly behind patching cadences of desktop or server systems, because most vendors lack a centralized mechanism for scheduling and deploying fixes for serious security flaws.

“Patches need to be manually applied by administrators,” he says. “And patching storage appliances can also be disruptive not only because they require reboots, during which time important data can be inaccessible to a business, but often security patches are distributed by appliance vendors as part of larger firmware updates that can alter or even remove existing functionality that an organization may depend on.”

But KnowBe4’s Grimes notes that a simple administrative change could help the issue.

“Most of today’s QNAP devices have an automatic patching feature, but it won’t automatically apply the patch and reboot without the admin’s consent,” he explains. “Patching and rebooting takes time and causes operational interruption to the data on the device. So, they have to ask for approval. It would benefit QNAP and really every device in the world if the vendor was allowed to patch and reboot without permission.”

QNAP customers would need to accept that patching is going to happen and expect small amounts of operational interruption during the patching process, he adds, pointing out that they could even control when the automatic patching happens.

What is QNAP’s Responsibility for Customer Security?

While customers bear responsibility for their own patching, what about QNAP’s rash of security bugs (and spotty track record in patching them quickly)?

“Of course, QNAP can help by doing better, more secure coding,” Grimes says. “Many of the announced vulnerabilities have been because QNAP didn’t do secure development lifecycle (SDL) coding and simple security reviews. Many of the flaws over the last few years are so basic that it just shows you that QNAP wasn’t concentrating enough on making sure they had less vulnerable code.”

Horizon3.ai’s Hong highlighted the vendor’s own history of being slow to patch disclosed vulnerabilities.

“There’s a larger conversation to be had here about legislation that should be passed to ensure vendors are doing their part to protect security, not just market share,” he says. “One notorious example goes back in 2020 when an unauthenticated RCE and arbitrary file write exploit took more than seven months to be patched and, even then, only came after its four month disclosure grace-period expired and the exploit was finally made public.”

Mike Parkin, senior technical engineer at Vulcan Cyber, has a different take, though.

“It’s hard to say whether QNAP has just suffered a run of bad luck with exposed vulnerabilities or there is as actual issue keeping the systems secure, though I lean towards bad luck,” he says. “Hopefully, updates from QNAP will make the devices more secure and the user community will take notice and review their own deployments to make sure they were done securely.”

QNAP did not respond to a request for comment for this article.

How Can Companies Protect Themselves Against QNAP Attacks?

When it comes to best practices for defense, the basics are the place to start, researchers said, including regular patching as explained above. But other measures are important too, like keeping appliances off the Internet and using strong, unique log-on credentials.

“Generally, organizations should minimize their public attack surface,” says Jake Williams, executive director of cyber-threat intelligence at Scythe. “Many vulnerabilities in networking gear and other appliances are only exploitable when the administrative interface is exposed to the Internet (something almost universally discouraged by device vendors).”

If they must be accessible via the Internet, appliances should be behind other security measures, according to Satnam Narang, senior staff research engineer at Tenable. “Ideally, you don’t want to expose your NAS devices publicly, so keep them behind a router and a firewall and utilize (if available) built-in VPN functionality for remote access,” he says.

Another issue that’s fixable is the use of Universal Plug and Play (UPnP), which is a network protocol that allows devices to automatically set port-forwarding rules for themselves, meaning these devices are directly accessible from the Internet, sometimes without user knowledge.

“UPnP is used for a variety of purposes, including gaming and streaming content, with the protocol allowing convenience of quickly connecting devices to a network, but at a security cost,” says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. “QNAP has clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled. Port forwarding, which also assists users in direct communication requests, should also be disabled.”

Beyond the simple steps, researchers also note that technology approaches are also available, such as encryption for data.

“All organizations should invest in encrypting their sensitive data at rest, and preferably with unique encryption keys per file or object,” says Scott Bledsoe, CEO at Theon Technology. “With granular encryption of data at rest, the compromise of a single encryption key will only result in a single item of information from being disclosed, and will prevent large-scale disclosure of sensitive information.”

And finally, Ryan McCurdy, vice president of marketing at Bolster, explains that people-based or legacy approaches are nearly impossible to scale with the massive volume of data on the Web, all of which could be a conduit for an attack on NAS devices.

“Throwing bodies and point solutions at this problem no longer works,” he says. “In order to scale, it’s critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the Web, social media, app stores, marketplaces, and the Dark Web.”

Related news

Gentoo Linux Security Advisory 202311-02

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

Debian Security Advisory 5503-1

Debian Linux Security Advisory 5503-1 - Multiple security issues were discovered in Netatalk, an implementation of the Apple Filing Protocol (AFP) for offering file service (mainly) to macOS clients, which may result in the execution of arbitrary code or information disclosure.

Ubuntu Security Notice USN-6146-1

Ubuntu Security Notice 6146-1 - It was discovered that Netatalk did not properly validate the length of user-supplied data in the DSI structures. A remote attacker could possibly use this issue to execute arbitrary code with the privileges of the user invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Netatalk did not properly validate the length of user-supplied data in the ad_addcomment function. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

CVE-2022-23122: Netatalk Release Notes

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.

CVE-2022-23125: ZDI-22-526

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.

CVE-2022-0194: ZDI-22-530

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2021-34360: Cross-Site Request Forgery Vulnerability in Proxy Server - Security Advisory

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later

CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

DARKReading: Latest News

SEC Disclosures Up, But Not Enough Details Provided