QNAP: DeadBolt Ransomware Exploits a Bug Patched in December

Taiwan-based network-attached storage (NAS) maker QNAP urges customers to enable firmware auto-updating on their devices to defend against active attacks.

According to the company, the attackers target a vulnerability patched in December, allowing them to run arbitrary code on vulnerable systems.

“Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack,” the NAS maker said today.

Also Read: Data Anonymisation: Managing Personal Data Protection Risk

“On January 27, 2022, QNAP set the patched versions of system software as ‘Recommended Version.’ If auto update for ‘Recommended Version’ is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.”

You can find more information on the Auto Update feature and how it can be toggled on or off in today’s press release.

DeadBolt ransomware attacks

While the company did not name the threat actors behind these ongoing attacks, the warning comes after a wave of attacks targeting Internet-exposed QNAP devices with DeadBolt ransomware and asking victims to pay 0.03 bitcoins (approximately $1,100) for a decryption key.

It was later revealed that QNAP force installed the update needed to block attackers from exploiting the QSA-21-57 bug after thousands of customers had their data encrypted in DeadBolt attacks.

Also Read: Do Not Call Registry Penalty: Important Tips To Consider

QNAP told BleepingComputer that they forced-installed this update as they believe the threat actors are using the remote code execution vulnerability fixed in the 5.0.0.1891 firmware version and mentioned in today’s announcement.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

• QTS 5.0.0.1891 build 20211221 and later
• QTS 4.5.4.1892 build 20211223 and later
• QuTS hero h5.0.0.1892 build 20211222 and later
• QuTS hero h4.5.4.1892 build 20211223 and later
• QuTScloud c5.0.0.1919 build 20220119 and later

However, a customer said in the QNAP forum that they were encrypted even when they had this firmware version installed, indicating that the threat actors are likely exploiting a different vulnerability.

Including the DeadBolt ransomware alert, QNAP issued three warnings in the last 12 months to alert customers of ransomware attacks targeting their Internet-exposed NAS devices.

QNAP previously warned rusers of AgeLocker ransomware attacks in April and eCh0raix ransomware attacks in May.