Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QNAP Fixes Critical Bug in NAS Backup, Disaster Recovery App

QNAP Fixes Critical Bug in NAS Backup, Disaster Recovery App

Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security.

The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution.

The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization.

QNAP says that the security flaw is already fixed in the following HBS versions and advises customers to update the application to the latest released version:

  • QTS 4.3.6: HBS 3 v3.0.210507 and later
  • QTS 4.3.4: HBS 3 v3.0.210506 and later
  • QTS 4.3.3: HBS 3 v3.0.210506 and later

However, while QNAP published the security advisory announcing that CVE-2021-28809 is fixed today, the app’s release notes do not list any security updates since May 14th, 2021.

According to the company, QNAP NAS devices running QTS 4.5.x with HBS 3 v16.x are not affected by this security vulnerability and are not exposed to attacks.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

HBS backdoor account exploited by Qlocker ransomware

QNAP fixed another critical security vulnerability found in the HBS 3 Hybrid Backup Sync backup and disaster recovery app in April.

The backdoor account flaw, initially described by the company as “hardcoded credentials” and then as an “improper authorization,” provided a backdoor account that allowed Qlocker ransomware operators to encrypt Internet-exposed Network Attached Storage (NAS) devices.

Starting with at least April 19th, Qlocker began targeting QNAP devices as part of a massive campaign, deploying ransomware payloads that moved victims’ files in password-protected 7zip archives and asked for ransoms.

As BleepingComputer reported, the ransomware gang made around $260,000 in just five days by demanding ransoms of 0.01 bitcoins (worth roughly $500 at the time).

The same month, QNAP urged their customers to secure their NAS devices from Agelocker ransomware attacks targeting their data and, two weeks later, from an eCh0raix ransomware campaign.

QNAP devices were previously attacked by eCh0raix ransomware (also known as QNAPCrypt) during June 2019 and June 2020.

Also Read: 3 Reasons Why You Must Take a PDPA Singapore Course

Customers who want to secure their NAS devices from incoming attacks are advised to follow these best practices for enhancing NAS security.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us