Recently, Taiwanese hardware vendor QNAP successfully prevented an attack by removing malicious servers used for brute-force attacks targeting the QNAP NAS (Network Attached Storage) devices. This attack was possible due to the exposed devices using weak passwords.
QNAP successfully blocked hundreds of zombie IP addresses within 7 hours using QuFirewall, a default firewall built into QNAP devices. They also identified the source of the C&C (Command & Control) servers within 48 hours. Fortunately, the quick responses prevented further attacks on numerous QNAP NAS devices exposed online.
Uncovering Externally Exposed QNAP NAS Devices
The exposed QNAP NAS devices are a regular target of brute-force attacks. In the event of a brute-force attack, a ransomware attack is also plausible to happen. Despite QNAP reacting quickly to mitigate attack damages, the exposed NAS devices remain a target for attackers.
By utilizing the product filter in Criminal IP Asset Search, you can find QNAP servers connected to the internet.
Search Query: “product:QNAP”
The search revealed more than 57,000 servers still running exposed QNAP NAS devices.
While not all servers are at risk of brute-force attacks or ransomware, attackers will prioritize targeting externally exposed NAS devices when identifying potential victims. If you use weak passwords on any of these devices/servers, your information could be stolen through a brute-force attack. Moreover, you may even suffer economic damages from a ransomware attack.
According to country statistics on exposed QNAP devices, Germany has the highest number with 6,700, followed by Italy and Taiwan.
Even if it is not a QNAP device, all externally exposed NAS servers can easily be targeted by attackers. Because NAS is often used for back-ups and sharing sensitive files, it can be targeted by attackers looking to steal, encrypt important documents, as well as install information-stealing malware.
QNAP NAS Servers Still Vulnerable
Among the exposed QNAP NAS servers searched, many servers are in a dangerous state and are prone to easily being targeted by attackers. By blocking attackers, QNAP has mitigated recent threats, but attackers can have different methods up their sleeves.
In the Asset Search report below, you can observe an IP address linked to a QNAP NAS device.
There are a total of 7 open ports, a QNAP NAS device is running on port 21, and port 22 is open pertaining to several vulnerabilities. Devices that operate on IP addresses with such vulnerabilities are more susceptible to being targeted by attackers.
In addition to recent attacks targeting QNAP, an ongoing attack targeting NAS servers is still occurring. Synology, another NAS manufacturer, also warns its customers about brute-force attacks attempted through the botnet: StealthWorker. It advises clients to be aware that successful attacks could lead to ransomware infections and alerts users to pay close attention.
To keep your NAS devices safe, QNAP recommends changing the default access port number as well as disabling port forwarding on the router and UPnP on the NAS device. QNAP also urged people to implement appropriate security measures such as strong passwords for their accounts, password policies, and disabling administrator accounts. All businesses and organizations utilizing NAS should follow these vendor recommendations. Furthermore, they should always use tools such as the Criminal IP search engine or Criminal IP ASM (Attack Surface Management) to check for exposed external devices.
Also check out our article on Cisco IOS XE Zero-Day Vulnerabilities: Uncovering Over 56,000 Exposed Devices.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):