QNAP Removes Backdoor Account in NAS Backup
QNAP Has Recently Addressed a Critical Vulnerability That Allowed Attackers to Log Into Its QNAP NAS Devices by Using Hardcoded Credentials.
The datacenter QNAP has recently addressed a critical vulnerability that allowed attackers to log into its QNAP NAS (network-attached storage) devices by using the hardcoded credentials.
The vulnerability tracked as CVE-2021-28799 was found by a disaster recovery and data backup solution company based in Taiwan, called ZUSO ART. The company in question says the security bug was fixed in the following HBS versions and advises customers to update the software to the latest released version as follows:
- QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
- QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
- QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
In order to execute the HBS update on your NAS device, you’ll need to log into QTS or QuTS hero as the administrator, then you’ll search for “HBS 3 Hybrid Backup Sync” in the App Center and then click on Update and OK in order to update the application.
A QNAP spokesperson declared for the reporters at BleepingComputer that the disclosure delay was caused by the additional time that was necessary in order to release the patches for QuTS hero and QuTScloud HBS versions.
It’s important to note that this type of critical security bug is allowing the threat actors to take over NAS devices and deploy ransomware to encrypt the users’ files, therefore, being able to ask hefty ransoms for a decryptor.
The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity.
QNAP believes that a new ransomware strain known as Qlocker is the one exploiting the SQL Injection vulnerability (CVE-2020-36195) in order to encrypt data on vulnerable devices.
We can see the same situation developing since at least April 19th, when attackers behind a massive campaign deploying a new ransomware strain known as Qlocker started moving QNAP customers’ files in password-protected 7zip archives and asking for ransoms.
In a recent update, QNAP confirmed that Qlocker ransomware has used the removed backdoor account to hack into some customers’ NAS devices and encrypt their files.
There appears to be a number of users affected by Ransomware (QLocker) due to this vulnerability. Please Update your HBS3 version ASAP
What I can’t find being addressed is why, in 2021, there are back-door credentials in systems at all and for what possible purpose does QNAP use this for?