[Security Weekly] QNAP NAS Appliances Targeted by Two Ransomware Campaigns

qnap nas

June 2022, Issue II


1. QNAP NAS appliances targeted by two ransomware campaigns

Taiwanese-based QNAP, a major global vendor of network-attached storage (NAS) devices, released an advisory in mid-June warning its customers of two ransomware campaigns actively targeting its devices.

QNAP’s NAS devices run on Linux-based QTS operating systems. QNAP noted in the advisory that the DeadBolt ransomware has been targeting customers running older versions of QTS OS (v4.x) on their devices, and urged all users to update their OS to the latest version immediately to protect against the ransomware.

Since DeadBolt locks users out of their devices by hijacking the login window with a ransom note, QNAP advised that even if a user had already been compromised, upgrading to the latest OS would allow its build-in malware remover to automatically quarantine the ransom note and make the login page accessible.

At the same time, QNAP devices are widely targeted by a new wave of eChoraix ransomware campaign. Also known as QNAPCrypt, eChoraix has been targeting vulnerable QNAP devices since 2019, using a variety of intrusion methods including brute force attacks.

Different from the high-profile ransomware gangs that hit large enterprises for high ransom figures, ransomware strains like DeadBolt and eChoraix are deployed to gain small ransoms (usually around $1,000) from a large number of end-users, allowing them to keep a low profile and avoid law enforcement. NAS devices are a popular target as they are commonly managed outside of the IT department.

Sources: Infosecurity, Bleeping Computer, TechTarget, The Register


2. Healthcare giant Kaiser Permanente exposes 70,000 customer records in cyberattack

Kaiser Permanente, a major US healthcare provider and one of the largest non-profit healthcare plan providers, suffered a business email compromise attack on April 5 that exposed the personal information of up to 70,000 customers.

The attack was revealed in a data breach notice sent out to affected customers on June 3, where the company disclosed that an attacker gained access to the email of an employee located at the Kaiser Foundation Health Plan of Washington for several hours. From there, the attacker could have gained potential access to the “protected health info” of 69,589 individuals.

The exposed data included full names, medical service dates, and test results. Although an investigation has been made, the company is unable to conclude on definite terms whether these exposed data were in fact accessed or exfiltrated.

Sources: Threatpost, Infosecurity


3. US and allies dismantle massive Russian botnet with millions of hacked devices

The US Department of Justice disclosed on June 16 that in cooperation with local authorities in Germany, UK, and the Netherlands, it has successfully destroyed the operation of a massive Russian-based botnet named RSOCKS, which contains millions of hacked devices.

RSOCKS operates on a subscription model similar to that of a proxy/VPN service. However, instead of offering its customers legally leased proxies from ISPs, it provides IP addresses from hacked devices around the world – in other words – a botnet. The RSOCKS botnet grew very quickly, starting from industrial and home IoT devices and then moving towards smartphones and computers.

Cybercriminals can easily purchase a subscription plan on RSOCKS’ platform, then utilize its wide array of proxies to conduct DDoS, credential stuffing, phishing, and brute force attacks on victims while hiding their true location. Victims include electronic manufacturers, universities, hotels, and many more.

To protect enterprise IT systems from automated attacks via botnets, a logic-based web application firewall (WAF) is necessary. By using AI algorithms to predict sophisticated attack patterns, bot attacks can be significantly mitigated.

Sources: ZDNet, BankInfoSecurity, Reuters


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security