Taiwanese vendor QNAP fixed a critical vulnerability, tracked as CVE-2021-28809, that could be exploited by attackers to compromise vulnerable NAS devices.
The vulnerability affects certain legacy versions of HBS 3 Hybrid Backup Sync, it was reported to the vendor by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs.
“An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3 (Hybrid Backup Sync). If exploited, this vulnerability allows attackers to compromise the security of the operating system.” states the security advisory published by the company.
The vendor addressed the flaw in the following versions of HBS 3:
QNAP devices running QTS 4.5.x with HBS 3 v16.x are not affected.
In May, the Taiwanese vendor warned its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.
At the end of April, experts warned of a new strain of ransomware named Qlocker that was infecting hundreds of QNAP NAS devices on daily bases.
The threat actors behind the attacks are exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device
“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.
The attacks were first spotted on April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.
Early May, the Taiwanese vendor warned its customers of
Early this month, the Taiwanese vendor warned its customers of an ongoing wave of AgeLocker ransomware attacks on their NAS devices
(SecurityAffairs – hacking, QNAP)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.