img118

How Safe Are Storage Devices From a Ransomware Attack?

Updated on Apr 28, 2023

Does your organization use Network Attached Storage (NAS) devices? If you think that backing up data in these devices will keep you safe from a ransomware attack, you might have to revisit your security strategy.

Ransomware groups such as Qlocker and eCh0raix have been targeting QNAP products for a while now. While devices from Western Digital, Synology, ENC Security, and Asustor have also been on the radar, QNAP’s offerings have taken a hit with multiple targeted attempts at exploiting their internet-connected offerings.

In the latest NAS-related scenario, ALPHV, Maui, and H0lygh0st ransomware, together with the FIN7 APT group, have been playing first fiddle. 

Ransomware

Vendor

Product

Deadbolt

QNAP

QNAP NAS running Photo Station

Qlocker

QNAP

Hybrid Backup Sync, QTS, QuTS Hero, and QuTS Cloud

eCh0raix

QNAP

Photo Station, Hybrid Backup Sync, QTS, QuTS Hero, and QuTS Cloud

Maui

TerraMaster

NAS running TerraMaster operating system

H0lyGh0st

TerraMaster

NAS running TerraMaster operating system

ALPHV

Veritas

Backup Exec

Apart from the above, another product being exploited is the Veeam Backup and Replication Server, although the attacker in this case is the FIN7 APT group that has been known to deploy the BlackBasta ransomware.

Recent Updates:

More recently, ransomware groups like DeadBolt, Checkmate, and NamPoHyu have joined hands with Qlocker and eCh0raix to go after exposed storage devices.

Sep 06, 2022: DeadBolt ransomware was observed as exploiting CVE-2022-27593, a vulnerability in certain QNAP NAS devices running Photo Station.

Repeated attempts have been made to compromise all forms of storage devices in the last quarter of 2022, and the exploitation has continued in 2023. We urge organizations to patch associated vulnerabilities, upgrade to the latest firmware, disable port forwarding on routers, or use VPNs to prevent NAS devices from being accessible on the internet.

Should CISOs Be Worried About Storage Device Security?

Yes. For many organizations that do not have a robust security strategy in place, storage devices are the last line of defense against ransomware attacks. 

Storage devices form the crux of an organization and hold all the data that is needed for their day-to-day operations. In fact, with the work-from-home scenario, all organizations prefer network-attached devices that can be accessed from anywhere, at any time.

On the other hand, increased network accessibility has led to an increased concern for data backups. This has resulted in Network Attached Storage (NAS) devices replacing legacy hardware for maintaining data backups. These data backups serve as the organization’s fallback measure in case of a cyberattack.

Securin researchers are tracking this trend as part of our ransomware research. Check out our quarterly ransomware reports for more information about storage devices and the threats targeting them.

Attacks on Storage Devices

Let us look at some of the incidents from early 2022 that had impacted storage devices connected to the internet. These are a clear indication that the attacks on storage devices are continuous and recurring, making it a true cause for concern. Furthermore, it is not just local storage that is being targeted; cloud storage is as vulnerable to attacks as any other internet-connected device.

  • Jul 11, 2022: Threat cluster tracked as Raspberry Robin targets QNAP using worm-like Windows malware

  • Jul 8, 2022: New Checkmate ransomware used to encrypt data in exposed QNAP devices

  • Jun 22, 2022: Critical PHP flaw exposes QNAP NAS devices to RCE attacks

  • Jun 19, 2022: Researchers predict ransomware groups could encrypt files stored on Microsoft’s SharePoint and OneDrive applications by abusing the versioning feature

  • Jun 18, 2022: eCh0raix ransomware launches another wave of attacks on QNAP devices

  • Jun 10, 2022: Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups

  • Jun 02, 2022: Polonium APT group uses Microsoft OneDrive cloud storage platform for data exfiltration and command and control, while targeting and compromising Israeli organizations

  • May 19, 2022: QNAP warns of a fresh wave of DeadBolt ransomware attacks targeting TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1.

  • Apr 28, 2022: Synology NAS devices exposed to attacks exploiting multiple, critical Netatalk vulnerabilities, including CVE-2022-23125, CVE-2022-23122, CVE-2022-0194,  and CVE-2022-23121

  • Mar 30, 2022: QNAP NAS devices exposed to high-severity OpenSSL bug

  • Mar 22, 2022: QNAP devices targeted in a new wave of DeadBolt ransomware attacks

  • Mar 14, 2022: CVE-2022-0847, the Linux vulnerability dubbed Dirty Pipe, endangers QNAP NAS devices

  • Feb 22, 2022: Data in Asustor NAS devices encrypted by DeadBolt ransomware

Although relatively old, we would also like to highlight how the Qlocker ransomware announced its presence by going after a then zero-day vulnerability (CVE-2021-28799) in QNAP devices, even before its vendor recognized the existence of the vulnerability.

A snippet from Securin’s Ransomware Report 2022

What Can Organizations Do to Protect Their Backup?

The first step to protecting data backups is to understand the exposure that attackers can leverage. To understand this, Securin has been continuously researching ransomware groups and the methods they use to attack their targets.

Address unpatched vulnerabilities 

Our researchers have identified the vulnerabilities in storage devices that are exploited by ransomware groups. We urge organizations to patch these vulnerabilities at the earliest to avoid exposing their NAS devices to attacks.

CVE

CWE

Ransomware Group

CVE-2022-27593

CWE-610

Deadbolt

CVE-2017-7494

CWE-20, CWE-94

eCh0raix

CVE-2018-19943

CWE-79

eCh0raix

CVE-2018-19949

CWE-77

eCh0raix

CVE-2018-19953

CWE-79

eCh0raix

CVE-2019-7192

CWE-269

eCh0raix

CVE-2019-7193

CWE-20

eCh0raix

CVE-2019-7194

CWE-610

eCh0raix

CVE-2019-7195

CWE-610

eCh0raix

CVE-2021-28799

CWE-285

eCh0raix, Qlocker

CVE-2021-27876

CWE-287

ALPHV

CVE-2021-27877

CWE-287

ALPHV

CVE-2021-27878

CWE-287

ALPHV

CVE-2022-24990

Maui, H0lyGh0st

CVE-2023-27532 is another CVE to watch out for as the vulnerability in Veeam Backup Servers is being targeted by the FIN7 APT group that has been previously linked to the BlackBasta ransomware group. 


Interestingly, over 60 percent of these vulnerabilities are introduced by improper code configurations that include improper neutralization of input and other special elements, and improper input validation, authorization, or privilege management. Care must be taken from the development stage itself to avoid introducing weaknesses in code, adopting a security-focused Shift-Left mindset right from the beginning.

Five of the ransomware vulnerabilities in storage devices that are known to be exploited by ransomware groups made it to the CISA KEVs after being repeatedly warned about by Securin in its blogs and Ransomware Reports. In fact, CVE-2017-7494 was only recently added to the list (April 2023), months after Securin’s call-out.

We would also like to call out a few vulnerabilities in storage devices that, although not associated with ransomware groups yet, have been highlighted by CISA in their KEV catalog.

Vulnerability

Vendor

Product

CVE-2020-2506

QNAP Systems

Helpdesk

CVE-2020-2509

QNAP

QNAP Network-Attached Storage (NAS)

CVE-2019-16057

D-Link

DNS-320 Storage Device

CVE-2020-9054

Zyxel

Multiple Network-Attached Storage (NAS) Devices

CVE-2018-14839

LG

N1A1 NAS

Be wary of ransomware groups 

Securin researchers have identified two ransomware groups: Qlocker and eCh0raix, targeting vulnerabilities in storage devices, particularly NAS devices. The DeadBolt and Checkmate ransomware groups are the latest to join the trend, going after weaknesses that can be easily exploited. Our analysts are constantly on the lookout for attack vectors utilized by these groups. It is also believed the Sabbath ransomware gang specifically targets backups as part of its triple extortion method. Stay tuned to our blogs to be notified as we unearth more information about the groups.

Lax Response Despite Repeated Warnings by Vendors

Surprisingly, vendors of storage devices have released multiple warnings and updates addressing the vulnerabilities as they were exploited. Despite this, we see multiple NAS devices exposed to the internet. Lack of cyber hygiene is the usual suspect here.

  • Sep 05, 2022: QNAP patches zero-day vulnerability exploited by DeadBolt ransomware

  • Jun 17, 2022:  QNAP warns customers to secure their devices against a new campaign of attacks pushing DeadBolt ransomware

  • May 06, 2022 : QNAP releases firmware update patching nine security weaknesses in QVR 5.1.6 build 20220401 and later

  • April 19, 2022: QNAP urges customers to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing NAS devices to attacks from the internet

  • Mar 26, 2022: Critical-severity RCE vulnerability identified in Western Digital’s My Cloud OS5 devices

  • Mar 24, 2022: Western Digital releases new My Cloud OS firmware to fix the heavily exploited CVE-2022-23121

  • Feb 14, 2022: QNAP extends support to some end-of-life NAS devices until October 2022, and provides mitigation measures

  • Jan 28, 2022: QNAP force updates customers’ NAS devices with firmware containing the latest security updates

The repeated warnings showcase a positive movement with vendors showing increased awareness and releasing proactive mitigations to ward off attacks on their products. An interesting trend to note is the support offered by QNAP to some end-of-life devices. With vendors reacting to the flurry of attacks, it is now the turn of end users to step up their game.

How Can Vulnerability Management Help?

Organizations need a continuous vulnerability management process to identify and remediate vulnerabilities in all their assets. By continuously monitoring and prioritizing vulnerabilities and emerging threats, security teams will be able to reduce response times and remediate dangerous exposures before they are exploited by attackers.

Mature vulnerability management programs like ours provide customers with actionable intelligence that effectively reduces cybersecurity alert fatigue and provides organizations with a clear road map to secure their environment. Acting as an extension of our customer’s security team, we go over and beyond to warn them of emerging threats and provide them with a customized early warning alert that facilitates rapid remediation.

Securin can help you identify vulnerabilities in your devices and prioritize the ones you should focus on. 

Sign up for our VMaaS offering.

Related reading:

Critical OpenSSL Vulnerabilities Affecting Linux and NAS Devices

All About Qlocker

Ransomware Reports

Share This Post On