Security News > 2021 > April > QNAP removes backdoor account in NAS backup, disaster recovery app

Update: QNAP confirmed that Qlocker ransomware has used the removed backdoor account to hack into some customers' NAS devices and encrypt their files.

T]he so-called Qlocker ransomware took advantage of one of the patched vulnerabilities in HBS to launch a hostile campaign, targeting QNAP NAS directly connected to the Internet with unpatched old versions of HBS. QNAP has addressed a critical vulnerability allowing attackers to log into QNAP NAS devices using hardcoded credentials.

While QNAP published the security announcing that CVE-2021-28799 was fixed today, the app's release notes for version 16.0.0415 lists it as fixed almost a week ago, on April 16th. A QNAP spokesperson told BleepingComputer that the disclosure delay was caused by the additional time needed to release patches for QuTS hero and QuTScloud HBS versions.

On the same day, QNAP fixed two other HBS command injection vulnerabilities, as well as two more critical vulnerabilities, a command injection bug in QTS and QuTS hero and an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On, that could allow attackers to gain full access to NAS devices.

Threat actors are also known to take over NAS devices and use them to "Proxy their connection to interact with the webshells they placed on these devices" and hide their malicious activity within regular remote work traffic, according to CISA. QNAP told BleepingComputer that they believe a new ransomware strain known as Qlocker exploits the SQL Injection vulnerability to encrypt data on vulnerable devices.

In June 2020, QNAP warned of eCh0raix ransomware attacks targeting Photo Station app security flaws.

News URL

https://www.bleepingcomputer.com/news/security/qnap-removes-backdoor-account-in-nas-backup-disaster-recovery-app/