QNAP Systems, Inc., a Taiwanese corporation that specializes in Network-attached storage (NAS) appliances has tackled a severe security flaw affecting certain legacy versions of HBS 3 (Hybrid Backup Sync).
If exploited, this vulnerability allows cybercriminals to compromise the security of the operating system, escalate privileges, carry out commands remotely, or read private information without authorization.
According to BleepingComputer, the improper access control vulnerability tracked as CVE-2021-28809 was discovered by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution.
Taiwan-based network-attached storage (NAS) maker states that they have already fixed the vulnerability in the following versions of HBS 3:
- QTS 4.3.6: HBS 3 v3.0.210507 and later
- QTS 4.3.4: HBS 3 v3.0.210506 and later
- QTS 4.3.3: HBS 3 v3.0.210506 and later
According to the company, QNAP NAS devices running QTS 4.5.x with HBS 3 v16.x are not affected by this security bug and are not vulnerable to cyberattacks.
In order to fix the vulnerability, the organization recommends updating HBS 3 to the latest version.
As noticed by BleepingComputer, while the organization published the security advisory announcing that CVE-2021-28809 is fixed, the app’s release notes do not list any security updates since May 14th, 2021.
Qlocker Ransomware Has Used HBS Backdoor Account to Hack NAS Devices
In April, the data center QNAP has addressed a critical vulnerability that allowed attackers to log into its QNAP NAS (network-attached storage) devices by using the hardcoded credentials.
The vulnerability tracked as CVE-2021-28799 was found by a disaster recovery and data backup solution company based in Taiwan, called ZUSO ART.
A few months ago, Qlocker threat actors started targeting QNAP devices around the world in an ongoing massive ransomware campaign storing users’ files in password-protected 7zip archives.
Hackers used 7-zip to move files on QNAP devices into password-protected archives with the .7z extension. While the files were being locked, the QNAP Resource Monitor would display numerous ‘7z’ processes which were the 7zip command-line executable.
As reported by BleepingComputer, the ransomware group managed to obtain around $260,000 in just five days by asking for ransoms of 0.01 bitcoins (worth roughly $500 at the time).
Customers were advised by QNAP to protect their NAS devices against Agelocker and eCh0raix ransomware attacks. The latter has attacked QNAP devices before.
Customers who want to secure their NAS devices from incoming attacks are urged to follow these best practices for increasing NAS protection.