How to Defend Against Deadbolt Ransomware Attacks On NAS Devices

Quick and easy network device installation is rarely a good way to manage risk. Users of popular network storage devices realize that enabling direct Internet access to their classified information, information needed for business operations, is never a good idea, as Deadbolt demonstrates this ability. .

Deadbolt, a ransomware iteration that appeared in January 2022, primarily targets NAS products from Taiwanese company QNAP (Quality Network Appliance Provider), possibly because 53 percent of the market share of targeted systems. While ASUSTOR NAS devices have also been attacked, this article focuses on the primary target.

While this is a look at a specific set of embedded devices, what we review here includes lessons for implementing critical information assets, including IoT and IIoT devices.

View More: How to defend against new worm-like capabilities of Ryuk Ransomware

What is QNAP NAS?

For small/home offices, small businesses, and some medium businesses, QNAP NAS (Network Attached Storage) devices are relatively inexpensive, easy to set up, and often easily accessible to threat actors. While storage area networks (SANs) house an organization’s database, NAS storage houses Word documents, Excel spreadsheets, and other files that hold data in multiple hierarchies.

QNAP TS-664 (

Paul Dicklin writes. that these NAS boxes are “…small, preconfigured servers, typically running Linux.” For a small business or home installing a QNAP NAS, the customer plugs it into their router, and UPnP enables easy connection and availability. Larger organizations may require a more sophisticated configuration for wired access, but this quick and easy implementation method can be an easy way to get basic Internet access to NAS devices.

External facing UPnP challenges

UPnP, also known to many security professionals and threat actors as Universal PWN and PLAY, is a set of protocols that allow any device on a network to discover any other device, without Enables the establishment of sessions with devices that have an inherent authentication capability.

Also Read :  Viewfinder: experience Australia through time at the NLA

The purpose behind UPnP was originally to provide home and home office users with an easy way to connect new devices to their internal networks. It was never intended to be used in an enterprise network environment, nor should it ever have been used to enable remote access.

What makes QNAP NAS devices easy to set up is the presence of UPnP enabled on the network router and devices to be connected. The router uses UPnP to identify and add available UPnP-enabled devices. Port Forwarding Capabilities An important point to remember; If a threat actor can communicate with a device via UPnP, he can potentially use all identified services or reset the device’s settings.

Once a device becomes known to a router, the router configures port mappings for the services offered by the device. When UPnP port forwarding is enabled on the wireless router, as in Figure 2, any external entity that sends a session request to the public-facing router interface, with port number 55536, will forward the QNAP NAS to 192.168. 1.32 is shipped. In fact, the NAS is directly connected to the Internet with no known or unknown misconfiguration and coding risks.

View More: Why RagnarLocker remains a critical threat to critical infrastructure

QNAP attack

Once threat actors gain access to a QNAP device, they exploit resident software and service vulnerabilities to install and execute their ransomware package. Over the past year, they have exploited various vulnerabilities that QNAP quickly patched. The latest attack on September 22 exploited an unknown vulnerability in PhotoStation that QNAP patched within about 12 hours.

The problem is not just UPnP. This is also consistent with the practice of exposing internal network devices to the public Internet in any way.

Also Read :  The Jason Sudeikis Olivia Wilde Nanny Drama Role Reversal

Stephen Hilt, Erin Leverett, and Fernando Murs of Trend Micro Provide a good walkthrough. How Deadbolt Affects Vulnerable QNAP Devices in June 2022 The attack path in September was the same, exploiting a different software vulnerability. Hilt et al. Provide the following elevation view:

  • Deadbolt uses a configuration file that dynamically selects specific settings based on its target vendor, making it highly adaptable to new campaigns across multiple vendors.
  • Threat actors used two methods of payment; A victim pays for a decryption key, or the NAS vendor pays for a decryption master key, a master key that supposedly decrypts all affected consumer NAS devices. So far, neither QNAP nor ASUSTOR has purchased a master key worth more than $1 million.
  • The key to decrypt an individual user’s device costs about $1,200, which less than 10% of victims choose to pay.

An interesting one. Thread on Reddit In which affected users discuss how they paid the keys to the June 2022 attack and how it worked. It also appears that one of the fixes QNAP made to their systems broke the use of decryption keys provided after the June payments. However, QNAP offers Detailed instructions To deal with this problem, instructions that are not for the uninitiated. Keys to the September attacks may not be affected.

Defensive play

Defenses begin by not exposing storage devices to the public Internet. This is an essential safety requirement that most consumers don’t know about, or if they do, they’re unaware that they’ve opened a gaping hole in the wall. In the case of QNAP services, QNAP provides secure configuration advice, including turning off port forwarding. But customers want to pay attention to vendor security advice.

QNAP provides cloud service, myQNAPcloudwhich provides A safe way to access their NAS solutions, including an easy way to configure routers for external access, least privilege management, and provision of multi-factor authentication. The most secure element of this configuration is removing direct public Internet access to all of the customer’s NAS devices.

Also Read :  The winners of the $60k Epson Pano Awards 2022

Setting up MyQNAPcloud is an important element of QNAP’s recommended procedure for securing NAS access:

  1. Disable port forwarding on the router.
  2. Set up myQNAPcloud on the NAS to enable secure remote access and prevent public Internet exposure.
  3. Update the NAS firmware to the latest version. [while ensuring reasonable and appropriate supply chain risk management]
  4. Update all applications on the NAS to their latest versions.
  5. Apply strong authentication to all NAS user accounts.
  6. Take snapshots and back up regularly to protect your data.

Another security I would add to this list is changing the default port numbers for NAS services. This will not significantly reduce the threat, but it is easy to do and will frustrate the efforts of threat actors.

Final thoughts

This is the story of what happens when storage is made directly available on the public Internet through a high-risk method like port forwarding. Port forwarding has value, but should never allow direct access to data.

Organizations and individuals must always have a layer of defense between data storage and those who want to access it, whether from an internal network or remotely. Applications that implement least privilege, strong authentication, logging, and monitoring are the best way to build this layer. If a NAS or other storage provider has one, use it. If they don’t, make one. If none of these are options, look for another vendor.

Let us know if you enjoyed reading this article LinkedIn, Twitteror Facebook. We would love to hear from you!

Image source: Shutterstock

More on NAS devices


Leave a Reply

Your email address will not be published.