How safe are storage devices from a ransomware attack?

Does your organization use Network Attached Storage (NAS) devices? If you think that backing up data in these devices will keep you safe from a ransomware attack, you might have to revisit your security strategy.

Ransomware groups such as Qlocker and eCh0raix have been targeting QNAP products for a while now. While devices from Western Digital, Synology, ENC Security, and Asustor have also been on the radar, QNAP’s offerings have taken a hit with multiple targeted attempts at exploiting their internet-connected offerings.

Recent Updates:

More recently, ransomware groups like Deadbolt, Checkmate and NamPoHyu have joined hands with Qlocker and eCh0raix to go after exposed storage devices.

Sep 06, 2022: Deadbolt ransomware has been observed as exploiting CVE-2022-27593, a vulnerability in certain QNAP NAS devices running Photo Station.

Repeated attempts have been made to compromise all forms of storage devices in the recent past, and we urge organizations to patch associated vulnerabilities, upgrade to the latest firmware, disable port forwarding on routers, or use VPNs to prevent NAS devices from being accessible on the Internet.

Should CISOs be worried about this?

Yes. For more organizations that do not have a robust security strategy in place, storage devices are your last line of defense against ransomware attacks. 

Storage devices form the crux of an organization, holding all the data that is needed for their day-to-day operations. In fact, with the work-from-home scenario, all organizations today prefer network attached devices that can be accessed from anywhere, at any time. 

On the other hand, increased network accessibility has led to an increased concern for data backups. This has resulted in Network attached storage (NAS) devices replacing legacy hardware for maintaining data backups. These data backups serve as the organization’s fallback measure in case of a cyber attack.

CSW researchers are tracking this trend as part of our Ransomware Report research. Check out our quarterly reports for more information about storage devices and the threats targeting them.

Recent Incidents where storage devices have been attacked 

Let us look at some of the incidents from early 2022 that have impacted storage devices connected to the internet. These are a clear indication that the attacks on storage devices are continuous and recurring, making it a true cause for concern. Further, it is not just local storage that is being targeted; cloud storage is as vulnerable to attacks as any other internet-connected device.

• Jul 11, 2022: Threat cluster tracked as Raspberry Robin targets QNAP using Worm-like Windows malware.

• Jul 8, 2022: New Checkmate ransomware used to encrypt data in exposed QNAP devices.

• Jun 22, 2022: Critical PHP flaw exposes QNAP NAS devices to RCE attacks

• Jun 19, 2022: Researchers believe that ransomware groups could encrypt files stored on Microsoft's SharePoint and OneDrive applications by abusing the versioning feature.

• Jun 18, 2022: Another wave of attacks on QNAP devices by eCh0raix ransomware

• Jun 10, 2022: Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups.

• Jun 02, 2022: Polonium APT group uses Microsoft OneDrive cloud storage platform for data exfiltration and command and control while targeting and compromising Israelian organizations.

• May 19, 2022: QNAP warns of a fresh wave of Deadbolt ransomware attacks targeting TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1.

• Apr 28, 2022: Synology NAS devices exposed to attacks exploiting multiple critical Netatalk vulnerabilities including CVE-2022-23125, CVE-2022-23122, CVE-2022-0194,  CVE-2022-23121.

• Mar 30, 2022: QNAP NAS devices exposed to high severity OpenSSL bug.

• Mar 22, 2022: QNAP devices targeted in a new wave of DeadBolt ransomware attacks.

• Mar 14, 2022: CVE-2022-0847, the Linux vulnerability dubbed Dirtypipe, endangers QNAP NAS devices.

• Feb 22, 2022: Data in Asustor NAS devices encrypted by Deadbolt ransomware.

Although relatively old, we would also like to highlight how the Qlocker ransomware announced its presence by going after a then zero-day vulnerability (CVE-2021-28799) in QNAP devices, even before its vendor recognized the existence of the vulnerability.

A snippet from CSW's Ransomware Report 2022

What can organizations do to protect their backup?

The first step to protecting data backups is to understand the exposure that attackers can leverage. To understand this, CSW has been continuously researching ransomware groups and the methods they use to attack their targets. 

Address unpatched vulnerabilities 

Our researchers have identified the vulnerabilities in storage devices that are exploited by ransomware groups. We urge organizations to patch these vulnerabilities at the earliest to avoid exposing their NAS devices to attacks.

Interestingly, over 60 percent of these vulnerabilities are introduced by improper configurations in code that include improper neutralization of input and other special elements, and improper input validation, authorization, or privilege management. Care must be taken from the development stage itself to avoid introducing weaknesses in code, adopting a security-focused Shift-Left mindset right from the word go.

Five of the ransomware vulnerabilities in storage devices that are known to be exploited by ransomware groups are yet to make it to the CISA KEVs : CVE-2017-7494, CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195. We warn organizations to treat them as high priority and address them without delay. 

We would also like to call out a few vulnerabilities in storage devices that, although not associated with ransomware groups yet, have been warned by CISA in their KEV catalog.  

Be wary of ransomware groups 

CSW researchers have identified two ransomware groups - Qlocker and eCh0raix - targeting vulnerabilities in storage devices, particularly Network Attached Storage (NAS) devices. The Deadbolt and Checkmate ransomware groups are the latest to join the trend, going after weaknesses that can be easily exploited. Our analysts are constantly on the lookout for attack vectors utilized by these groups. It is also believed the Sabbath ransomware gang specifically targets backups as part of its triple extortion method. Stay tuned to our blogs to be notified as we unearth more information about the groups. 

Lax Response Despite Repeated Warnings by Vendors 

Surprisingly, vendors of storage devices have released multiple warnings and updates addressing the vulnerabilities, as they were exploited. Despite this, we see multiple NAS devices exposed to the internet. Lack of cyber hygiene is the usual suspect here.

• Sep 05, 2022: QNAP patches zero-day vulnerability exploited by Deadbolt ransomware.

• Jun 17, 2022:  QNAP once again warns customers to secure their devices against a new campaign of attacks pushing DeadBolt ransomware.

• May 06, 2022 : QNAP releases firmware update patching nine security weaknesses in QVR 5.1.6 build 20220401 and later.

• April 19, 2022: QNAP urges customers to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing their NAS devices to attacks from the Internet.

• Mar 26, 2022: Critical severity RCE vulnerability identified in Western Digital’s My Cloud OS 5 devices.

• Mar 24, 2022: Western Digital releases new My Cloud OS firmware to fix the heavily exploited CVE-2022-23121.

• Feb 14, 2022: QNAP extends support to some end-of-life NAS devices until October 2022, and provides mitigation measures.

• Jan 28, 2022: QNAP force updates customers' NAS devices with firmware containing the latest security updates.

The repeated warnings showcase a positive movement with vendors showing increased awareness and releasing proactive mitigations to ward off attacks on their products. An interesting trend to note is the support offered by QNAP to some of the devices that have already reached their end of life. With vendors reacting to the flurry of attacks, it is now the turn of end-users to step up their game as well.

How can Vulnerability Management help?

Organizations need a continuous vulnerability management process to identify and remediate vulnerabilities in all their assets. By continuously monitoring and prioritizing vulnerabilities and emerging threats, security teams will be able to reduce response times and remediate dangerous exposures before they are exploited by attackers.

Mature vulnerability management programs like ours provide customers with actionable intelligence that effectively reduces cyber security alert fatigue and provides organizations with a clear roadmap to secure their environment. Acting as an extension of our customer’s security team, we go over and beyond to warn them of emerging threats and provide them with a customized early warning alert notification that facilitates rapid remediation. 

CSW can help you identify the vulnerabilities in your devices and prioritize the ones you should focus on. 

Sign up for our VMaaS offering.

Related reading:

Critical OpenSSL Vulnerabilities affecting Linux and NAS devices

All about Qlocker

Ransomware Reports
 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!