Security News > 2021 > August > eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices

Operators of the nearly-year-old eCh0raix ransomware strain that's been used to target QNAP and Synology network-attached storage devices in past, separate campaigns have, gotten more efficient.

In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 - an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account - in the Hybrid Backup Sync software on QNAP's NAS devices.

The eCh0raix operators have branched out: Payload analysis shows that they've gone beyond their typical targeting of QNAP devices to also target Synology NAS devices, thereby enabling the ransomware to ensnare both vendors' devices, Unit 42 researchers found.

"Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only previous research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found," they elaborated.

Unit 42 researchers estimated that there are about 240,000 internet-connected QNAP NAS devices and only about 3,500 Synology NAS devices, meaning that adding Synology to its hit list didn't significantly boost the ransomware's attack surface.

"NAS devices provide ample opportunity for attacks at the individual level and could be used for extortion or lateral movement into larger networks. The increase in work-from-home models has created a BYOD nightmare for defenders, and NAS devices are included in that. Threat actors, much like water, are trying to find the path of least resistance, and NAS devices could prove a good option for a foot in the door."

News URL

https://threatpost.com/ech0raix-ransomware-variant-qnap-synology-nas-devices/168516/