Poorly Protected NAS Devices Make Easy Targets for Ransomware Attacks

Hackers go for the low-hanging fruit and recently they found it on the network-attached storage (NAS) devices from at least two manufacturers. Crooks use the easy access to infect QNAP and Synology systems with file-encrypting malware in the hopes of getting paid for the decryption key.

NAS systems are used to store large volumes of data and make it accessible to multiple users, commonly over a local network. In some installations, though, the devices are open on the public web, allowing access to the files to anyone with the correct password. The risk is that hackers can scan the internet for these boxes and try to compromise them.

Attacks with a ransomware strain called eCh0raix started in June as threat actors search for targets and try default credentials or brute-force their way in to devices with weak login credentials. Since many users delay updating the NAS firmware, another method is to exploit known vulnerabilities.

One victim reported that eCh0raix encrypted more than 12TB of data stored on a Synology DS918 NAS device. Another admitted to using a weak password for login access. Another one decided to put the device behind a VPN connection, albeit too late. A free decryption tool is not yet available for them.

Both QNAP and Synology advise users to set strong, unique passwords and enable on their devices the brute-force protection feature – called Network Access Protection on QNAP systems and Auto Block on Synology devices. Running the latest firmware version ensures protection against older vulnerabilities that often get exploit code soon after they are patched.

If remote connection services like SSH and Telnet are not required, they should be disabled to reduce the attack surface. If your device needs to be exposed, using non-default connection ports will make it more difficult for hackers to reach it, while a VPN service will make it inaccessible to most hackers.

The simplest defense against ransomware is to create back-up copies of the data and store them offline. Synology recommends turning on Snapshot, a function that creates a copy of the file at a particular time. QNAP NAS devices have a backup function that duplicates the data.

These features help protect against hackers targeting individual devices, but other local systems may not provide sufficient security options. Modern security solutions offer network-wide protection to all gadgets, blocking exploit attempts and warning of vulnerable firmware or weak login passwords.

Image credit: Synology & QNAP

2 comments

  • By Ram - Reply

    Of all the external IP addresses available, how did hackers locate the IPs of Synology & QNAP boxes? Did they get hacked and reveal custom Synology or QNAP domain names and their associated IPs?

    • By Bogdan Botezatu - Reply

      Devices that are directly connected to the Internet “advertise” what they are to anyone probing their public IP address. Some cyber-criminals query public sources such as Shodan (here’s a simple query that returns some exposed Synology devices: https://www.shodan.io/search?query=synology). Others scan the entire internet, from the first available IP address to the last one and build their own “map” of the Internet.

      One thing you should remember is that everything that is publicly exposed becomes reachable for the larger internet. If you need to access the NAS device over the Internet, the safest way to do so is to create a VPN endpoint on your NAS device and only expose the VPN ports in the router (port 1194 – UDP for OpenVPN or ports 500, 1701, 4500 – UDP for L2TP/IPSec). Whenever you need to connect to your NAS, forst fire a VPN connectionand then access it as if you were in the same LAN with the device).

  • Add Comment

    Your email address will not be published. Required fields are marked *