Extortion attacks on a variety of servers and clients on the network do not appear to exclude Network Attached Storage (NAS), which is common in home and business environments. One of the most well-known vendors in this sector, Taiwan’s QNAP, called its users over the weekend to urgently change certain network settings of the NAS available from the Internet to keep the data stored on it safe.
According to the information, vulnerability to ransomware and brute force attacks can be monitored using one of QNAP’s proprietary software, security advisor running under the QTS operating system – if the scanning process warns that the management interface is using an external IP address via HTTP. Certain system settings must be changed with immediate effect.
QNAP suggests that in this case, both router port forwarding and the NAS UPnP function should be urgently turned off. The manufacturer doesn’t mention other protection methods (port renumbering, using two-step authentication) in the description, nor does it specify exactly which attack users should fear, or whether a fix should be downloaded later.
However, citing user feedback, a BleepingComputer article wrote that this is the return of eChoraix (also known as QNAPcrypt), a ransomware first used in 2019 that specifically attacks QNAP NAS, while others say it has been more significant since Mid-December: Systems are accessed through a Photo Station vulnerability in QNAP Photo Manager.
At least two major attacks linked to eChoraix have been reported in recent years. During a recent series of attacks last May, QNAP required customers to confirm administrator passwords, enable IP access protection to protect the NAS, and use port numbering other than rule 443 and 8080.
