[German]The question why NAS manufacturer QNAP recently updated its devices via forced update has now been answered. The attacks by the DeadBolt ransomware that took place in January 2022 were only possible if the NAS owners made them accessible on the Internet on the one hand and did not install any updates on the other. This is because the exploited vulnerability was patched in December 2021.
Ramsomware attacks on QNAP systems
In January 2022, there was a spate of ransomware infections on QNAP NAS drives where files were encrypted. My first report on the issue of ransomware attacks on QNAP devices was in January in my German blog post QNAP-Laufwerke im Januar 2022 Ziel von Ransomware-Angriffen. Over the last 14 days, I've come across reports of problems and vulnerabilities with QNAP firmware from time to time. And owners of QNAP NAS drives became victims of various ransomware families.
Then, within days, more than 3,600 QNAP systems were infected – see above tweet and this article at Bleeping Computer.
QNAP forced update in January 2022
Then the days I had reported in the blog postQNAPs forced update after 3,600 DeadBolt ransomware infections (Jan. 2022) about a forced update that surprised owners of unpatched QNAP devices in late January 2022. QNAP used it to force a firmware update for all customer NAS devices to QTS version 22.214.171.1241, which is the latest firmware released on December 23, 2021 (see QNAP firmware update version QTS 126.96.36.1991 build 20211221 and log4j vulnerability).
Note that older QNAP QTS firmware versions were probably not updated. And the reason why many users had not upgraded to QTS 5 is probably due to numerous bugs that were included in that firmware version. I had touched on this in the blog postQNAP has released NAS security updates and disabled an app.
QNAP discloses details
As of February 1, 2022, Taiwan-based QNAP has issued this press release that caught the eye of our colleagues here. It states that the QNAP Product Security Incident Response Team (PSIRT) has determined that cybercriminals are exploiting a patched vulnerability described in the QNAP Security Advisory (QSA-21-57) for a cyberattack. The vulnerability in question exists in QTS 4.5.3 and later versions, as well as QuTS hero h4.5.3 and later versions. If the vulnerability is exploited, attackers can execute arbitrary code in the system. QNAP has then released the following corrected firmware versions.
- QTS 188.8.131.521 build 20211221 and later
- QTS 184.108.40.2062 build 20211223 and later
- QuTS hero h220.127.116.112 build 20211222 and later
- QuTS hero h18.104.22.1682 build 20211223 and later
- QuTScloud c22.214.171.1249 build 20220119 and later
The press release linked above states that QNAP actively updates NAS system software to ensure that each of its products runs efficiently at every stage of its lifecycle. These updates include feature updates, bug fixes, and security patches.
- To make it easier for users to obtain the latest version of the system software, QNAP has introduced the auto-update function to the latest version in QTS 4.5.0 / QuTS hero h4.5.0.
- In addition, a function to automatically update to the "Recommended Version" has been implemented in QTS 4.5.3 / QuTS hero h4.5.3 to provide users with more flexibility.
The vendor writes that The Recommended Version includes feature and security enhancements from previous versions. To avoid frequent NAS service interruptions due to automatic updates, QNAP will only set a specific version with important fixes as the "Recommended Version" to help users update their NAS. Seems to have gone wrong or been interpreted a bit more generously in January 2022, though. This is the only explanation for QNAP device owners being surprised by forced updates.
QNAPs forced update after 3,600 DeadBolt ransomware infections (Jan. 2022)
Ransomware eCh0raix attacks QNAP devices (Dez. 2021)
QNAP firmware update version QTS 126.96.36.1991 build 20211221 and log4j vulnerability
QNAP has released NAS security updates and disabled an app
QNAP: Vulnerability in Media Streaming Add-on
Cookies helps to fund this blog: Cookie settings