Hackers Are Backdooring QNAP NAS Devices With 3-year Old RCE Bug
Hackers are scanning for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions, trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in a previous release.
According to a report published today by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), unknown threat actors are currently exploiting a remote command execution vulnerability due to a command injection weakness in QNAP NAS devices’ firmware.
Command injection vulnerability leading to RCE
The vulnerability allows unauthenticated, remote attackers to achieve authentication using the authLogout.cgi executable because it fails to sanitize input —doesn’t filter out special characters — and calls the system function to run the command string, allowing for command injection which allows for remote code execution.
360 Netlab’s researchers reached out to QNAP PSIRT on May 13 to disclose the security they found and they were told on August 12 (three months later) that the company addressed the security issue in a previous security update and that there still are QNAP NAS devices that need to be upgraded.
QNAP fixed the vulnerability in firmware version 4.3.3 — released on July 21, 2017 — by replacing the function used to run the command strings.
“This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0,” 360 Netlab said. By using the execv to execute custom command, command injection has been avoided.”
“On August 12, 2020, QNAP PSIRT replied that the vulnerability had been fixed in early updates, but such attacks still exist in the network.”
QNAP customers urged to upgrade
Based on 360 Netlab’s analysis, the bad actors behind these ongoing attacks haven’t yet fully automated the process and are going through some parts of the process by hand.
360 Netlab is yet to pinpoint the attackers’ end goal but discovered that they deploy the same two payloads on all compromised devices, one of them being a reverse shell working on the TCP/1234 port.
“We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections,” the researchers added.
360 Netlab provides a list of all affected QNAP firmware versions and indicators of compromise including the attackers’ scanner and downloader IP addresses.
Active eCh0raix Ransomware campaign
QNAP storage devices are also currently targeted by an ongoing eCh0raix Ransomware campaign that started two months ago, in early June, with victims reporting daily that their NAS devices are being encrypted according to this topic on Bleeping Computer’s forum.
Last month, QNAP also urged its customers to bolster their NAS devices’ security and update the Malware Remover app following a QSnatch malware joint alert issued by UK’s NCSC and the US CISA government cybersecurity agencies.
Even though the attack infrastructure used in previous QSnatch campaigns is now down, the two agencies found roughly 62,000 infected devices worldwide during mid-June 2020, of which about 3,900 were found in the United Kingdom and 7,600 in the United States.