QNAP Counters Massive Weak Password Onslaught, Shields NAS Devices

CVE-2022-27595 - CVE-2024-48860 & CVE-2024-48861

QNAP, a Taiwanese network equipment manufacturer, recently thwarted a cyber onslaught targeting their Network Attached Storage (NAS) devices, specifically those with weak passwords and openly accessible on the internet.

On the evening of October 14th, the firm discerned a surge of attacks and, with the collaboration of the cloud service provider Digital Ocean, incapacitated the malefactors’ Command and Control (C2) server which orchestrated a botnet spanning hundreds of compromised systems.

QNAP’s Product Security Incident Response Team (QNAP PSIRT) swiftly neutralized hundreds of zombie network IPs within a mere 7 hours using their proprietary software, QuFirewall. This valiant effort shielded numerous QNAP NAS devices from subsequent breaches.

CVE-2022-27595

Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further,” the company elucidated.

QNAP’s representatives lauded their response, emphasizing that it not only shielded QNAP NAS users from potential harm but also fortified users of other network storages against this wave of aggression.

Although the assault was adeptly repelled, adversaries seldom remain idle. Thus, QNAP implores its clientele to bolster their device’s defenses: modify default access ports, deactivate port forwarding on routers and UPnP on NAS, employ stringent password policies, and deactivate the administrator account on endpoints.

Cybercriminals frequently target NAS devices, often with the intention of pilfering or encrypting valuable documents. Recent onslaughts on QNAP devices encompassed campaigns leveraging ransomware strains such as DeadBolt, Checkmate, and eCh0raix. Furthermore, in 2021, Synology alerted the public to their devices being a prime target for the StealthWorker botnet.