Quick and easy installation of network devices is rarely a good way to manage risk. Users of popular network storage devices realize that allowing direct Internet access to their classified information—the information necessary for business to function—is never a good idea, as Deadbolt so adeptly demonstrates.
Deadbolt, a ransomware iteration that appeared in January 2022, mainly targets NAS products from Taiwanese company QNAP (Quality Network Appliance Provider), probably because it has about 53% market share of targeted systems. While ASUSTOR extension NAS devices have also been attacked, this article focuses on the main objective.
While this is a look at a specific set of beleaguered devices, what we review here contains lessons for deploying critical information assets, including IoT and IIoT devices.
See more: How to defend against the new worm-like features of Ryuk Ransomware
What is a QNAP NAS?
QNAP Network Attached Storage (NAS) devices for small/home offices, small businesses, and some medium-sized businesses are relatively inexpensive, easy to set up, and often easily accessed by threat actors. While storage area networks (SANs) house an organization’s databases, NAS storage contains Word documents, Excel spreadsheets, and other files that contain data in multiple classifications.
Paul Ducklin writes that these NAS boxes are “…preconfigured miniature servers, usually running Linux”. For a small business or home business setting up a QNAP NAS, the customer simply connects it to their router and UPnP allows for simple connection and availability. Larger organizations may require a more sophisticated setup for wired access, but this quick and easy deployment approach can be an easy path to getting initial Internet access to NAS devices.
Outward-facing UPnP challenges
UPnP, also known to many security professionals and threat actors as Universal PWN and Play, is a set of protocols that allows any device on a network to discover any other device, allowing sessions to be created with those devices without any ability to intrinsic authentication.
The intent behind UPnP was originally to provide home and home office users with an easy way to connect new devices to their internal networks. It was never intended to be used in a corporate network environment, nor was it intended to be used to enable remote access.
What makes QNAP NAS devices easy to set up is having UPnP enabled on the network router and the devices to be connected. The router uses UPnP to identify available UPnP-enabled devices and add them to its own Port forwarding capacity. A crucial point to remember; if a threat actor can talk to a device via UPnP, she can eventually use all identified services or reconfigure the device settings.
Once a device is known to a router, the router configures port mapping for the services offered by the device. When UPnP port forwarding is enabled on a wireless router, as in Figure 2, any external entity that sends a session request to the router’s public-facing interface, with a port number of 55536, is forwarded to the QNAP NAS on 192.168. 1.32. In fact, the NAS is directly connected to the Internet, along with any known or unknown misconfigurations and coding vulnerabilities.
See more: Why RagnarLocker remains a significant threat to critical infrastructure
The QNAP attack
Once threat actors gain access to the QNAP device, they exploit vulnerabilities in the resident software and service to install and run their ransomware package. Over the past year, they have exploited several vulnerabilities that QNAP quickly fixed. The most recent attack on September 22 exploited an unknown vulnerability in Photo Station that QNAP fixed in approximately 12 hours.
The problem isn’t just with UPnP. It’s also with the practice of exposing internal network devices to the public internet in any way.
Stephen Hilt, Éireann Leverett and Fernando Mercês of Trend Micro provide a good walk-through how Deadbolt infected vulnerable QNAP devices in June 2022. The attack path was the same in September, with a different software vulnerability being exploited. Hilt et al. provide the following high altitude view:
- Deadbolt uses a configuration file that dynamically chooses specific settings based on the vendor it targets, making it highly adaptable to new campaigns across multiple vendors.
- The threat actors used two payment methods; a victim pays for a decryption key or the NAS vendor pays for a decryption master key – a master key that supposedly decrypts all NAS devices of affected customers. So far, neither QNAP nor ASUSTOR has purchased a master key priced at over $1 million.
- The key to decrypting a single customer’s device is approximately $1,200, a ransom less than 10% of victims choose to pay.
There is an interesting discussion on Reddit in which affected users discuss how they paid for the keys to the June 2022 attack and how it worked. It is also apparent that one of QNAP’s fixes to their systems stopped using the provided decryption keys after the June payments. However, QNAP delivers detailed instructions to deal with this problem, instructions that are not for the uninitiated. Keys for September attacks may not be affected.
Your defense starts with not exposing your storage devices to the public internet. This is an essential safety requirement that most users don’t know about or, if they do, don’t know they’ve punched a hole in the perimeter wall. In the case of QNAP services, QNAP provides safe configuration recommendations, including port forwarding termination. But customers should want to heed the vendor’s safety recommendations.
QNAP provides cloud service, myQNAP cloudthat provides a safe way to access your NAS solutions, including an easy way to configure routers for external access, managing least privileges, and provisioning multi-factor authentication. The most secure element of this setup is the removal of direct public Internet access to all of a customer’s NAS devices.
Setting up myQNAPcloud is a critical element of QNAP’s recommended approach to secure NAS access:
- Disable port forwarding on your router
- Configure myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the public Internet
- Update the firmware of the NAS to the latest version [while ensuring reasonable and appropriate supply chain risk management]
- Update all applications on the NAS to the latest versions
- Enforce strong authentication for all NAS user accounts
- Take snapshots and back up regularly to keep your data safe
Another safeguard I’d add to this list is changing the default port numbers for NAS services. This won’t reduce the risk significantly, but it’s easy to do and will add frustration to the threat actors’ efforts.
This is a story of what happens when storage is made available directly to the public Internet via a high-risk method such as port forwarding. Port forwarding has value, but it should never allow direct access to data.
Organizations and individuals should always have a layer of defense between data storage and those who wish to access it, whether from the internal network or remotely. Applications that enforce least privilege, strong authentication, logging, and monitoring are the best way to create this layer. If a NAS or other storage provider has one, use it. If they don’t, build one. If neither of these are an option, look for another provider.
Let us know if you enjoyed reading this article about LinkedIn, Chirpingor Facebook. We’d love to hear from you!
Image source: Shutterstock