QNAP Newsroom

Taipei, Taiwan, September 12, 2022 - QNAP® Systems, Inc. has detected the security threat DeadBolt exploiting a vulnerability within Photo Station to encrypt QNAP NAS that are directly connected to the Internet. The QNAP Product Security Incident Response Team (QNAP PSIRT) made the assessment, released a patched version of Photo Station within 12 hours, and took emergency measures to interrupt ransomware attacks. For more information, see the security advisories and updates: QSA-22-24.

Actions to emerging incidents within 12 hours

• Prompt investigation and assessment of vulnerability reports
  QNAP PSIRT team received reports on 3 September 2022, and immediately started investigating. After confirming the attack was targeting instances of the Photo Station app with Internet exposure, an emergency response team, involving members from PSIRT, R&D, Design Quality Verification, and Technical Support, teamed up and quickly fixed the vulnerability.

• Patched Photo Station to mitigate malware attacks scope
  QNAP took decisive action toward malicious activities, patched the latest version of Photo Station and released it within 5 hours after identifying the malware patterns. With the QTS App Center automatically installing required updates for Photo Station, it effectively protects QNAP NAS connected to the Internet from continuous hostile attacks and thus limits the potential impact.

• Enabled cloud-based malware definition to block malware attacks
  QNAP PSIRT enabled cloud-based malware definition updates after a thorough analysis and testing of attack patterns. The emergency action has effectively protected NAS without installing the patched app from encrypting ransomware threats.

• Quickly disclosed the cyber attack
  After releasing the patched Photo Station, QNAP published the Security News and Security Advisories, within 12 hours, to proactively disclose this issue and urged users to take necessary approaches against attacks.

• Recommends using snapshots to restore NAS data
  QNAP amended NAS snapshots in 2021, preventing snapshots from being deleted by ransomware. In QTS 5.0.0, snapshots are enabled by default in Thin/Thick Volume. Users who create snapshots regularly can restore full NAS data to a specific point of time using snapshots. Users who don’t create snapshots regularly should contact QNAP Customer Service as soon as possible. QNAP urges all QNAP NAS users to take regular snapshots to safeguard important data.

QNAP discovered the attack pattern and effectively blocked suspicious behavior

QNAP’s security team determined that the source of the DeadBolt malware attack is via The Onion Routing (Tor), an anonymous connection. QNAP has collected a list of malicious hosts and preloaded the blacklist to the QuFirewall application. QuFirewall will block suspicious packets that are suspected to be sent by onion routing to prevent NAS hosts from being attacked. It detects onion routing and malicious bots every day, and dynamically updates the blocking list of malicious packets. Since most malware is routed through anonymous onions routing to avoid being traced, QNAP urges all QNAP NAS users to install QuFirewall immediately to work with us to block malware attacks.

If your NAS is exposed to the internet, you should follow the below instructions to ensure NAS security:

Step 1: Disable your router’s DMZ and UPnP function

Go to the management interface of your router, check the router’s DMZ, UPnP, Virtual Server or Port Forwarding settings, and disable the related settings.

Step 2: Disable the UPnP function of the QNAP NAS

Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration”, and unselect “Enable UPnP Port forwarding”.

Step 3: Be careful with Port Forwarding (disabling the function is recommended)

If you do not need to externally connect to your NAS, it is recommended to disable Port Forwarding and other settings relating to forwarding to the NAS. If redirecting to the NAS is required, you should implement strict security configurations such as a firewall, and adjust the system management port.

• If you need to connect to the NAS from the Internet, use the secure myQNAPcloud Link connection:
  https://www.qnap.com/go/solution/myqnapcloud-link/
• Learn more about NAS remote access and network security:
  https://www.qnap.com/go/solution/secure-remote-access/