QNAP recently addressed a critical security vulnerability you need to be aware of.
Previous to the fix, the company had included hard-coded credentials to serve as a backdoor to the device.
Unfortunately, hackers became aware of this and began abusing those credentials. That resulted in a number of confirmed instances where hackers gained access to the device via the backdoor, then installed ransomware and encrypted all of the files on the device.
The issue is being tracked as CVE-2021-28799, and at this point, has already been resolved.
All you need to do is to download and install the latest version of the software your device uses, which will be one of the following:
- QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
- QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
- QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
To update HBS on your NAS device, simply log into QuTS Hero or QTS as an administrator and do a search for the phrase "HBS 3 Hybrid Backup Sync" in the App Center. Once you've found that, click "Update" and "Ok" to start the process. Note that if your software is already up to date, then the "Update" button will be greyed out.
This is not the first time that QNAP devices have been targeted by hackers. Given the sensitive data they invariably contain, they're almost the perfect target for ransomware attacks. Recently, the company issued guidance relating to how to check your device for the presence of malware, and these steps are well worth following at periodic intervals:
- Change all passwords for all accounts on the device
- Remove unknown user accounts from the device
- Make sure the device firmware is up-to-date, and all of the applications are also updated
- Remove unknown or unused applications from the device
- Install QNAP MalwareRemover application via the App Center functionality
- Set an access control list for the device (Control panel -> Security -> Security level)
Make sure you're up to date as soon as possible. This security patch should be given highest priority.