QNAP: DeadBolt attacks via vulnerability patched in December 2021

Sicherheit (Pexels, allgemeine Nutzung)[German]The question why NAS manufacturer QNAP recently updated its devices via forced update has now been answered. The attacks by the DeadBolt ransomware that took place in January 2022 were only possible if the NAS owners made them accessible on the Internet on the one hand and did not install any updates on the other. This is because the exploited vulnerability was patched in December 2021.


Ramsomware attacks on QNAP systems

In January 2022, there was a spate of ransomware infections on QNAP NAS drives where files were encrypted. My first report on the issue of ransomware attacks on QNAP devices was in January in my German blog post QNAP-Laufwerke im Januar 2022 Ziel von Ransomware-Angriffen. Over the last 14 days, I've come across reports of problems and vulnerabilities with QNAP firmware from time to time. And owners of QNAP NAS drives became victims of various ransomware families.

Ramsomware-Angriffe auf auf QNAP-Systeme

Then, within days, more than 3,600 QNAP systems were infected – see above tweet and this article at Bleeping Computer.

QNAP forced update in January 2022

Then the days I had reported in the blog postQNAPs forced update after 3,600 DeadBolt ransomware infections (Jan. 2022) about a forced update that surprised owners of unpatched QNAP devices in late January 2022. QNAP used it to force a firmware update for all customer NAS devices to QTS version, which is the latest firmware released on December 23, 2021 (see QNAP firmware update version QTS build 20211221 and log4j vulnerability). 

Note that older QNAP QTS firmware versions were probably not updated. And the reason why many users had not upgraded to QTS 5 is probably due to numerous bugs that were included in that firmware version. I had touched on this in the blog postQNAP has released NAS security updates and disabled an app.


QNAP discloses details

As of February 1, 2022, Taiwan-based QNAP has issued this press release that caught the eye of our colleagues here. It states that the QNAP Product Security Incident Response Team (PSIRT) has determined that cybercriminals are exploiting a patched vulnerability described in the QNAP Security Advisory (QSA-21-57) for a cyberattack. The vulnerability in question exists in QTS 4.5.3 and later versions, as well as QuTS hero h4.5.3 and later versions. If the vulnerability is exploited, attackers can execute arbitrary code in the system. QNAP has then released the following corrected firmware versions.

  • QTS build 20211221 and later
  • QTS build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

The press release linked above states that QNAP actively updates NAS system software to ensure that each of its products runs efficiently at every stage of its lifecycle. These updates include feature updates, bug fixes, and security patches.

  • To make it easier for users to obtain the latest version of the system software, QNAP has introduced the auto-update function to the latest version in QTS 4.5.0 / QuTS hero h4.5.0.
  • In addition, a function to automatically update to the "Recommended Version" has been implemented in QTS 4.5.3 / QuTS hero h4.5.3 to provide users with more flexibility.

The vendor writes that The Recommended Version includes feature and security enhancements from previous versions. To avoid frequent NAS service interruptions due to automatic updates, QNAP will only set a specific version with important fixes as the "Recommended Version" to help users update their NAS. Seems to have gone wrong or been interpreted a bit more generously in January 2022, though. This is the only explanation for QNAP device owners being surprised by forced updates.

Similar articles:
QNAPs forced update after 3,600 DeadBolt ransomware infections (Jan. 2022)
Ransomware eCh0raix attacks QNAP devices (Dez. 2021)
QNAP firmware update version QTS build 20211221 and log4j vulnerability
QNAP has released NAS security updates and disabled an app
QNAP: Vulnerability in Media Streaming Add-on

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *