How to secure QNAP NAS devices? The vendor’s instructions

Pierluigi Paganini January 07, 2022

QNAP is warning customers of ransomware attacks targeting network-attached storage (NAS) devices exposed online.

Taiwanese vendor QNAP has warned customers to secure network-attached storage (NAS) exposed online from ransomware and brute-force attacks.

“Ransomware and brute-force attacks have been widely targeting all networking devices, and the most vulnerable victims will be those devices exposed to the Internet without any protection. QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP networking devices.” states the security advisory published by the company. “Check whether your NAS is exposed to the Internet.”

Customers can check whether their NAS is exposed online by using the Security Counselor, a built-in security portal for QNAP NAS devices.

QNAP NAS

If the NAS is exposed to the Internet the dashboard will display the message “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”

Administrator of devices exposed to the Internet should:

  • Disable the Port Forwarding function of the router. Disable the port forwarding setting of NAS management service port (port 8080 and 433 by default) from the Virtual Server, NAT or Port Forwarding setting
  • Disable the UPnP function of the QNAP NAS from the QTS menu of myQNAPcloud. Disable the “Enable UPnP Port forwarding” under “Auto Router Configuration item.

The vendor also published a guide to securely access QNAP NAS via the Internet through myQNAPcloud Link.

In December a new wave of ech0raix ransomware attacks targeted QNAP NAS devices. Users reported numerous compromises of their devices a few days before Christmas.

According to BleepingComputer, forum users reported an intensification of the attacks since December 20, the analysis of submissions to the ID ransomware service for this specific threat started to increase on December 19 and reached a peak on December 20.

ech0raix ransomware operators demand a ransom raising from .024 ($1,200) up to .06 bitcoins ($3,000).

In August, a new variant of the eCh0raix ransomware started infecting Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.

The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.

NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment