www.belgium.be Logo of the federal government

Warning: DeadBolt Ransomware operators are actively exploiting a QNAP 0-DAY vulnerability, PATCH NOW!

Reference: 
Advisory #2022-22
Version: 
1.0
Affected software: 
Internet facing QNAP Devices with photo station
CVE/CVSS: 

 

 

 

Date: 
06/09/2022

Sources

https://www.qnap.com/en/security-advisory/qsa-22-24

Risks

DeadBolt ransomware operators are actively exploiting a QNAP Photostation 0-day vulnerability in the wild. The vulnerability affects Internet facing QNAP Devices with photo station.

QNAP released security updates 12 hours after detecting the surge in Ransomware attacks.

The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyse system and network logs for any suspicious activity.
This report has instructions to help your organisation.
 
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Recommended Actions

Scope

Create an inventory that includes all the software from your organisation and check per entry if it is vulnerable.

The vulnerability is fixed in the versions below:

  • QTS 5.0.1: Photo Station 6.1.2 and later
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
  • QTS 4.3.6: Photo Station 5.7.18 and later
  • QTS 4.3.3: Photo Station 5.4.15 and later
  • QTS 4.2.6: Photo Station 5.2.14 and later

Patch

To protect your NAS from the DeadBolt ransomware, QNAP strongly recommends securing your QNAP NAS devices and routers by following these instructions:

  1. Disable the port forwarding function on the router.
  2. Set up myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the internet.
  3. Update the NAS firmware to the latest version.
  4. Update all applications on the NAS to their latest versions.
  5. Apply strong passwords for all user accounts on the NAS.
  6. Take snapshots and back up regularly to protect your data.

Mitigate

QuMagie is a simple and powerful alternative to Photo Station. QNAP recommends using QuMagie to efficiently manage photo storage in your QNAP NAS.

Extra Precautions

QNAP NAS should not be directly connected to the internet.Use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service, to limit your attack surface.

Monitor/Detect
 
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.

Reference QNAP guide: https://www.qnap.com/en/security-advisory/qsa-22-24

References

https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/