Taiwanese hardware vendor QNAP has shut down a server that was used in a major brute-force hacking operation against internet-exposed network-attached storage (NAS) instances.
In a press release published on the QNAP website, the company said it had partnered with Digital Ocean in a two-day operation to jointly shut down a malicious server that acted as a command-and-control (C2) center that operated a botnet of infected devices.
“The QNAP Product Security Incident Response Team (QNAP PSIRT) swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack,” the press release reads. “Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further.”
Mitigation steps
QNAP says there are things IT admins can do to protect their endpoints, and suggests changing the default access port number, deactivating port forwarding on the routers and UPnP on the NAS, setting up a stronger password, and making sure the password is regularly updated.
The company also “strongly” recommended these steps:
Disable the “admin” account
Set strong passwords for all user accounts and avoid using weak passwords
Update QNAP NAS firmware and apps to the latest versions
Install and enable the QuFirewall application
Utilize myQNAPcloud Link’s relay service to prevent your NAS from being exposed to the internet. If there are bandwidth requirements or specific applications necessitating port forwarding, you should avoid using the default ports 8080 and 443.
More information on how to do these things can be found in the manual here.
QNAP’s NAS devices are a popular target among cybercriminals as they can often be easily broken into and later used in ransomware attacks, BleepingComputer reminds.
Via BleepingComputer