Do you have any QNAP devices attached to your network?
If so, be advised that they've become the new favorite inroad for hackers around the world. According to a report recently published by researchers at 360 Netlab, hacking groups are increasingly exploiting weaknesses in some NAS devices running a variety of QNAP firmware versions that suffer from command injection vulnerabilities.
The good news is that this vulnerability has already been addressed by QNAP with their release of firmware version 4.3.3. The better news is that the company addressed this back in July of 2017.
Unfortunately, not many people are good about keeping their firmware up to date, so you may have one or more vulnerable devices and not even realize it. Both QNAP and the researchers at 360 Netlab recommend checking the version number of the firmware you're using, and upgrading immediately if you are at risk.
If you're looking for additional technical details about what caused the problem and how it was addressed, see below.
QNAP had this to say about version 4.3.3 of their firmware
"This release replaced the system function with qnap_exec, and the qnap_exec function is defined in the /usr/lib/libuLinux_Util.so.0," 360 Netlab said. By using the execv to execute a custom command, command injection has been avoided."
Sadly, this isn't the first time QNAP has been the target of hackers. In fact, there's an ongoing ransomware campaign that utilizes eChoraix ransomware to encrypt NAS devices. Just last month, the US's CISA and the UK's NCSC issued a joint malware alert about a malware strain called QSnatch that also targets QNAP NAS devices (see the blog articles listed below).
Our perspective
In any event, although this issue has long been resolved, it's clear that there are a great number of vulnerable devices out there, both on home and office networks. Kudos to 360 Netlab for shining a light on them, and to QNAP for moving swiftly to correct the issue.
~ Quote from Narcotics Anonymous. “Insanity is doing the same thing, over and over again, but expecting different results.” ~
By Denis Wilson and Melissa Stockwell
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people/process/technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing, professional services, and healthcare. Our hallmarks are cloud and on-premises network reliability, cost-effective cybersecurity, and livable small business regulatory compliance.
I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association
