Over twenty thousand of QNAP network-attached storage (NAS) units are awaiting a patch to fix a serious security hole that was fixed on Monday by the Taiwanese business. This SQL injection vulnerability (CVE-2022-27596) allows remote threat actors to insert malicious code into attacks against unpatched, Internet-exposed QNAP devices.
QNAP also assigned this problem a CVSS base score of 9.8/10 and noted it might be abused in low-complexity attacks by unauthenticated hostile actors without requiring user input. Customers running affected versions of QTS 5.0.1 and QuTS hero h5.0.1 are urged to update to QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later in order to safeguard their systems from attacks.
You must log in as the admin user to update your device. Then, go to “Control Panel System Firmware Update,” select “Check for Update” from the list of “Live Update” options, and wait for the download and installation to finish. Customers are urged to update to the most recent version of the software as soon as possible, even though QNAP has not identified this weakness as being actively exploited in the wild. This is because NAS devices have a history of being the target of ransomware attacks.
Thousands Of Unpatched Devices Susceptible To This Attack
Just over 550 out of the more than 60,000 QNAP NAS machines that Censys security researchers discovered online have been fixed, according to a study they published one day after QNAP provided security upgrades to address this significant vulnerability.
“Censys has identified 67,415 hosts that appear to be running a QNAP-based system, however we were only able to determine the version from 30,520 of these servers. But if the warning is accurate, more than 98% of known QNAP devices would be susceptible to this attack “Mark Ellzey, a senior security researcher, stated.
Only 557 of the 30,520 hosts with a version were running QuTS Hero or QTS at a version greater than or equal to “h5.0.1.2248,” which means that this vulnerability could impact 29,968 hosts. Fortunately, there is still time to fix these susceptible NAS systems and protect them from assaults because this weakness has not yet been deployed in the wild, and proof-of-concept exploit code has not yet appeared online.
Numerous ransomware strains, including Muhstik, eCh0raix/QNAPCrypt, QSnatch, Agelocker, Qlocker, DeadBolt, and Checkmate, have targeted such devices recently; it bears emphasizing that QNAP customers should patch their NAS device right away to prevent threat actors from pounce and encrypt their files.
“Hundreds of thousands of QNAP users could be in peril if the exploit is made public and weaponized. To protect themselves against upcoming ransomware campaigns, everyone must quickly upgrade their QNAP devices “Ellzey tacked on.
Along with updating your NAS device as soon as possible, you should keep it offline to prevent remote exploitation. The NAS manufacturer has recommended customers using Internet-connected devices to take the following precautions to protect them from incoming attacks:
Turn off the router’s port forwarding feature by going to the management interface, looking at the NAT, virtual server, and port forwarding settings, and turning off the port forwarding setting for the NAS management service port (port 8080 and 433 by default).
Go to myQNAPcloud on the QTS menu, choose “Auto Router Configuration,” and uncheck “Enable UPnP Port forwarding” to disable UPnP on the QNAP NAS. You should also toggle off SSH and Telnet connections, change the system port number, change device passwords, and enable IP and account access protection using these precise step-by-step instructions.
How To Safeguard Against Zero-Day Threats And Attacks
Approaching a zero-day attack is essentially identical to approaching any other cyberattack. When responding to an unexpected circumstance, you may have very little information at your disposal.
1. Assess your risks.
The significance of companies being aware of the risks posed by cyberattacks is necessary. Building a security program with goals and metrics tailored to your needs and where you can more easily convey progress and priorities. To non-security stakeholders across your organization allows you to understand which risks impact your business most.
2. Correct your principles.
Abide by all cybersecurity compliance standards set forth in a strict framework, such as the Payment Card Industry (PCI). Make sure you have a reliable backup system and recovery plan. Check them frequently. Adopt a zero-trust approach and grant your partners and workers the proper levels of access. To avoid incorrect configurations, continuously review your servers, containers, and cloud services. Implement the best email security you can. If you don’t have enough professionals to monitor and respond 24 hours a day, find a reliable managed security service provider (MSSP).
3. Implement multiple security measures
Ensuring several layers of security is crucial. For instance, consider ensuring that the harm is contained and won’t compromise all your platforms if an endpoint is hacked, which may be due to a zero-day attack that is outside your control. By using many layers of defense, you can be sure that if an enemy manages to get past one, the next layer will stop them. A web application firewall solution instantly scans all incoming network traffic for dangers.
4. Obtain capability for incident response and patch management.
Many technologies, such as adopting a cloud security posture management tool and cloud identities and entitlements management (CIEM), can help you strengthen your patch management capabilities and are highly recommended. Sarah Wallace, a G2 cybersecurity specialist, emphasized the significance of having current cybersecurity software. According to Wallace, cybercriminals know that many firms still use outdated, legacy security software, making them easy targets.
5. Conduct tests and simulations
The most effective way to evaluate the effectiveness of your incident response plans and pinpoint areas for improvement is to conduct simulations, such as tabletop exercises. Even though you may not have any control over how or when you will be assaulted, you do have some control over how you will react when it does. It also emphasized how important it is to foster and advance a solid cybersecurity culture.
Conclusion
A severe security hole affecting its network-attached storage (NAS) devices that might result in arbitrary code injection has been fixed by Taiwanese manufacturer QNAP through the delivery of updates. The vulnerability tracked as CVE-2022-27596, has a CVSS of 9.8 out of 10 potential points. Both QTS 5.0.1 and QuTS Hero H5.0.1 are affected. In a Monday advisory, QNAP stated that the vulnerability would allow remote attackers to inject malicious code if exploited.
The NIST National Vulnerability Database (NVD) has identified the weakness as a SQL injection vulnerability despite the fact that the precise technical details around it are unclear. According to MITRE, “just as it may be feasible to read sensitive information, it is also possible to make changes to this information or even delete it with a SQL injection attack.” This means that a hacker may submit specifically created SQL queries that could be used as a weapon to get around security measures and access or change sensitive data.
