Ransomware groups targeting NAS devices

Overview

A Network Attached Storage (NAS) is a computer connected to a network that allows remote access to the filesystem, often with built-in redundancy or backup features. Ransomware groups have been seen exploiting vulnerabilities in NAS devices to ransom the files and pivot into corporate networks.

The most recent of these vulnerabilities is a remote code execution bug in OpenSSL, a widely-used open source cryptographic library.

Impact

According to Cortex Xpanse, 250000 QNAP and Synology NAS devices are exposed to the public internet.

Vulnerability Detection

Devices running OpenSSL libraries v1.1.1 -> v1.1.1k and v1.0.2 -> v1.0.2y could be vulnerable.

Products which may be affected

– NetApp ONTAP (investigating)
– QNAP NAS running HBS 3 (investigating, as well as an earlier CVE-2021-28799)
– Synology (investigating)

Containment, Mitigations & Remediations

Where possible, don’t expose devices to the Internet.
Where remote access is required it may be advisable to put the service behind a VPN or use IP whitelisting to control access.

Mitre Methodologies

– T1190 – Exploit Public-Facing Application
– T1486 – Data Encrypted for Impact

Further Information

OpenSSL – Vulnerabilities

NetApp OpenSSL Vulnerabilities in NetApp Products

Synology-SA-21:24 OpenSSL

QNAP – Out-of-Bounds Vulnerabilities in OpenSSL

CVE-2021-28799

New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices