QNAP Issues Warning Regarding New “DeadBolt” Ransomware Targeting All NAS Units Connected to the Internet

[Tsing]

Image: QNAP



QNAP has warned owners of its popular NAS units to check whether their devices are exposed to the Internet or not, as there’s a new type of ransomware going around that could jeopardize all of their stored data.



Dubbed “DeadBolt,” the ransomware has the potential to infect any QNAP NAS unit that is exposed to the Internet and encrypt their data for Bitcoin ransom. An extensive thread on the official QNAP NAS Community Forum with nearly 300 posts includes stories from affected users who can no longer access their files.



“Hi, my QNAP NAS drive just got attacked by a ransonware that turned all my files to files with a .deadbolt extension,” reads the opening post. “Wondering if this is a new ransomware or if anyone has experience with this? I googled it and have not come up with anything as of...

Continue reading...

 

[Grimlakin]

That's interesting. I wonder how far out they are from patching this.

 

[Zarathustra]

Honestly, this is why I am opposed to all "IT appliances".

Built a server, run an open source software project on it.

...and If you absolutely have to use an "appliance in a box" type of solution, for crying out loud, don't just put it on a public IP without some serious firewalling.

 

[Brian_B]

Built a server, run an open source software project on it.

Not like Open Source stuff is immune - Log4Shell comes to mind recently. And it's a crapshoot as to if the project is still in active development and gets patched quickly, or not.

don't just put it on a public IP without some serious firewalling.

This it the correct answer, but even that isn't foolproof. Take something like Ring cameras -- the camera sits behind your firewall, but it dials into the mothership, which is how you can get back to it from remotely via their app without needing to poke a hole through your firewall or set up port forwarding. If someone can hack the mothership and get that info, they can get not only into your camera, but ~all~ the cameras. It's easier to harden one spot than it is a million cameras, but it's still a single point vulnerability.

Also, a lot of these devices have "easy" local WiFi or Bluetooth setup, which are usually local, open wireless connections. That's falling out of favor now, thankfully, but it used to be common practice. It was really bad with printers.

 

[Riccochet]

Not like Open Source stuff is immune - Log4Shell comes to mind recently. And it's a crapshoot as to if the project is still in active development and gets patched quickly, or not.

This it the correct answer, but even that isn't foolproof. Take something like Ring cameras -- the camera sits behind your firewall, but it dials into the mothership, which is how you can get back to it from remotely via their app without needing to poke a hole through your firewall or set up port forwarding. If someone can hack the mothership and get that info, they can get not only into your camera, but ~all~ the cameras. It's easier to harden one spot than it is a million cameras, but it's still a single point vulnerability.

Also, a lot of these devices have "easy" local WiFi or Bluetooth setup, which are usually local, open wireless connections. That's falling out of favor now, thankfully, but it used to be common practice. It was really bad with printers.

Ring are secure. The connection made from the home is outgoing SSL connection. They're not open to the internet for inbound connections.

But, yeah, NAS boxes should be behind a firewall and whitelisted for access from specific IP's. Problem there is that 99% of the home and small office users that buy these products don't know networking. They plug it in, go through the initial setup and call it good.

 

[Brian_B]

Ring are secure. The connection made from the home is outgoing SSL connection. They're not open to the internet for inbound connections.

I don't think I implied otherwise. This doesn't nullify the issues I brought up though.

 

[Zarathustra]

Not like Open Source stuff is immune - Log4Shell comes to mind recently. And it's a crapshoot as to if the project is still in active development and gets patched quickly, or not.

True, but unless you choose some failing or barely supported project, things generally get patched very quickly.

I wouldn't go with some fly-by-night project, but if you go with something established like FreeNAS or if you roll your own, by installing a hardened Ubuntu server, adding ZFSonLinux to it and set up your own shares manually, the repository gets patched very quickly, usually same day something hits the news. Sometimes the day before if it had been pre-shared with vendors with a specific release date.

This it the correct answer, but even that isn't foolproof. Take something like Ring cameras -- the camera sits behind your firewall, but it dials into the mothership, which is how you can get back to it from remotely via their app without needing to poke a hole through your firewall or set up port forwarding. If someone can hack the mothership and get that info, they can get not only into your camera, but ~all~ the cameras. It's easier to harden one spot than it is a million cameras, but it's still a single point vulnerability.

Also, a lot of these devices have "easy" local WiFi or Bluetooth setup, which are usually local, open wireless connections. That's falling out of favor now, thankfully, but it used to be common practice. It was really bad with printers.

Nothing is foolproof. That's why you need to use a layered approach.

Patch your ****, firewall everything, set up minimal access necessary for things to work, and - IMHO (though many may disagree) - avoid hardware appliances like the plague.

 

[Zarathustra]

Ring are secure. The connection made from the home is outgoing SSL connection. They're not open to the internet for inbound connections.

I'd argue that anything that dials home to the mothership is automatically suspect.

It may be reasonably secure from third party attack, but what data is the mothership storing? And even if they don't intend to misuse it, what if they get attacked and compromised?

Any large database automatically becomes a target, which is why best practice should be to eliminate those databases wherever and whenever possible.

Just like good network policy is to firewall everything and only allow access on an as needed basis, best data policy should be to collect only what is strictly necessary for something to work so that you don't become a target.

Unfortunately IOT manufacturers can't be trusted to do this, because of their profit incentives.

 

[Brian_B]

Well, I'd also counter that to say, living life is inherently insecure.

We want to do stuff, get work done, have some fun, experience some level of convenience. Security (almost) always comes at the expense of those things. You have to balance that against the consequences of failure of your security.

If someone were to break into my Plex server and delete all my stuff - well, that would suck, but that would be about it. Compared to if someone were to break into my bank account and steal all my money - that would suck on a whole different level. I'm ok having convenient access to my Plex server, I absolutely endure additional measures to help keep my bank account more secure. If I had to go through the same level of security on my Plex as I do my bank, I'd never use it because it would just be too big of a pain in the ***.

 

[Riccochet]

I'd argue that anything that dials home to the mothership is automatically suspect.

It may be reasonably secure from third party attack, but what data is the mothership storing? And even if they don't intend to misuse it, what if they get attacked and compromised?

Any large database automatically becomes a target, which is why best practice should be to eliminate those databases wherever and whenever possible.

Just like good network policy is to firewall everything and only allow access on an as needed basis, best data policy should be to collect only what is strictly necessary for something to work so that you don't become a target.

Unfortunately IOT manufacturers can't be trusted to do this, because of their profit incentives.

You seem to not be understanding the target demographic for companies like Ring and QNAP. These are not network engineers that know how to use a firewall for restricting access. They are 99% dumb azz home owners. They want to plug it in and expect it to work with as little setup as possible. These are also people that aren't going to "build a linux box" with FreeNAS or ZFSOnLinux, or even remotely know how to do that.

Phoning home is not a security risk as long as the connection is encrypted. A lot of enterprise datacenter equipment "phone's home".

 

[Zarathustra]

You seem to not be understanding the target demographic for companies like Ring and QNAP. These are not network engineers that know how to use a firewall for restricting access. They are 99% dumb azz home owners. They want to plug it in and expect it to work with as little setup as possible. These are also people that aren't going to "build a linux box" with FreeNAS or ZFSOnLinux, or even remotely know how to do that.

Phoning home is not a security risk as long as the connection is encrypted. A lot of enterprise datacenter equipment "phone's home".

I'm less concerned about about the connection itself. I mean, I want to assume they use encrypted connections as well as RSA keys to verify they are not being redirected to a man in the middle, but who knows, there have been so many bad news stories where even serious enterprise service providers (cough, Solarwinds, cough) have failed to use things even remotely close to best practice.

But that aside, encrypted connections are easy, so I hope as many of these IoT devices as possible are actually doing it right, but you never know.

The real problem is the data that is stored in the cloud. Any large data store is automatically a target, and time and time again companies we'd like to think are secure, like Ubiquiti Networks, established in the network security business, get hacked. If Ubiquiti loses customer data, what hope do we have that a little stupid company that sells smart lightbulbs, thermostats, doorbells or baby monitors does it right?

The true solution is to not collect data in the cloud, unless ABSOLUTELY necessary.


You know, I'm usually a free market guy, but this is one area in which the free market is failing us. I think we need some strict regulation in the space. An FDA style pre-approval process before any connected product is put on the market in which they have to prove that they meet all cyber security standards/best practices would be one.

Another would be a law requiring companies to be financially liable for all direct and indirect costs resultant from vulnerabilities in or attacks on their products. This should give them a financial incentive to actually take it seriously.

 

[Brian_B]

But that aside, encrypted connections are easy, so I hope as many of these IoT devices as possible are actually doing it right, but you never know.

The real problem is the data that is stored in the cloud. Any large data store is automatically a target, and time and time again companies we'd like to think are secure, like Ubiquiti Networks, established in the network security business, get hacked. If Ubiquiti loses customer data, what hope do we have that a little stupid company that sells smart lightbulbs, thermostats, doorbells or baby monitors does it right?

@Riccochet

This. Encryption helps protect against packet sniffing, but only goes so far at protecting the common vulnerability - the main server in a cloud environment. It helps there's only one spot to harden, but nothing is foolproof. And Human/social attacks are commonly the biggest pitfall there -- you can have all the security measures in the world in place, but if you invite the vampire in, you are done for. One employee with critical access and a re-used password, or opens up a malware-laden email, or falls for a scam call from someone pretending to be in IT - it doesn't take much.

Whereas in Zath's example, if you are running your own server - well, primarily, your server is only one among thousands/millions, so there is some level of anonymity there in obscurity. There's no common entry point that an intruder could point to to try to get at your specific device. Now, patching up the network and encrypted connections and maintaining firewalls and such are all going to be on each individual user. While the devices in general may not be as secure because of people's lapses in applying patches and best-practices, each individual device is probably safer from hacking just because of the level of anonymity brought about by sheer numbers and lack of advertising the devices.

Kind of like fated first charge in any attack -- they can't shoot us all!

 

[Brian_B]

Another would be a law requiring companies to be financially liable for all direct and indirect costs resultant from vulnerabilities in or attacks on their products. This should give them a financial incentive to actually take it seriously.

I think this is the proper avenue given the current free-market environment. If you want to collect and maintain data, you are responsible for the security of that data, and liable for damages for any misuse or breech thereof.

What would happen is you'd see a ~vast and rapid~ drop off in the amount of data collection performed. It would probably kill Google and Facebook's business model, which would not make me cry in the least. And that is why we will never see it happen, they will lobby ferociously against it and claim it stifles innovation and will increase costs.

And it could increase costs; but I think only because people don't realize how valuable there data is in the first place and tend to just give it away without thought. If you were appropriately compensated for your data, I don't think we'd see net costs for most people really change at all.