Tag: NAS | SpinSafe

Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

April 9, 2024/in Internet Security

Apr 09, 2024NewsroomBotnet / Vulnerability

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

DNS-320L
DNS-325
DNS-327L, and
DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,”…

Source…

RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

April 27, 2023/in Internet Security

Apr 27, 2023Ravie LakshmananLinux / Endpoint Security

The threat actors behind RTM Locker have developed a ransomware strain that’s capable of targeting Linux machines, marking the group’s first foray into the open source operating system.

“Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” Uptycs said in a new report published Wednesday. “It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”

RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.

The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliates to ransom victims, in addition to leaking stolen data should they refuse to pay up.

The Linux flavor is specifically geared to single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process. The exact initial infector employed to deliver the ransomware is currently unknown.

“It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems,” Uptycs explained. “The encryption function also uses pthreads (aka POSIX threads) to speed up execution.”

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Following successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk getting their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.

The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat…

Source…

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

March 31, 2022/in Computer Security

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library.

“An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS,” the company said in an advisory published on March 29, 2022. “If exploited, the vulnerability allows attackers to conduct denial-of-service attacks.”

Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices.

QNAP, which is currently investigating its line-up, said it affects the following operating system versions –

QTS 5.0.x and later
QTS 4.5.4 and later
QTS 4.3.6 and later
QTS 4.3.4 and later
QTS 4.3.3 and later
QTS 4.2.6 and later
QuTS hero h5.0.x and later
QuTS hero h4.5.4 and later, and
QuTScloud c5.0.x

To date, there is no evidence that the vulnerability has been exploited in the wild. Although Italy’s Computer Security Incident Response Team (CSIRT) released an advisory to the contrary on March 16, the agency clarified to The Hacker News that it has “updated the alert with an errata corrige.”

The advisory comes a week after QNAP released security updates for QuTS hero (version h5.0.0.1949 build 20220215 and later) to address the “Dirty Pipe” local privilege escalation flaw impacting its devices. Patches for QTS and QuTScloud operating systems are expected to be released soon.

A new ransomware gang known as “DeadBolt” is targeting QNAP NAS customers using an alleged zero-day vulnerability.

The attacks have impacted vulnerable QNAP network-attached storage (NAS) devices exposed to the internet. DeadBolt, the ransomware at the center, appears to be a new gang and ransomware strain, as initial reports came early this week.

Taiwanese hardware vendor QNAP published a blog Wednesday to confirm the ongoing attacks and urge users to secure their devices. Specifically, the blog provides instructions to users on how to check whether an NAS device is accessible from an external IP address, as well as how to change this by disabling port forwarding and Universal Plug and Play functionality.

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the post read. “QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.”

According to ransom notes posted by alleged victims and security researchers, DeadBolt is demanding 0.03 bitcoin from victims (currently valued at just over $1,100 USD).

“This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor (QNAP),” the ransom note read. QNAP NAS users have dealt with other ransomware variants in recent weeks and months, including variants Qlocker and eCh0raix.

The ransom note includes an additional note from DeadBolt to QNAP, claiming the threat actor is targeting users via a zero-day vulnerability and that in order to receive vulnerability details and a universal decryption key, the vendor must send 50 bitcoin (almost $2,000,000 as of this writing) to the threat actor. Alternatively, QNAP can send 5 bitcoin (approximately $190,000 as of this writing) to receive only the vulnerability details.

Tag Archive for: NAS