Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label NAS. Show all posts

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.

D-Link Devices Face Cyber Attacks Following End-of-Life Announcement

 



Cybersecurity researchers have confirmed that the exploitation of D-Link NAS devices has been ongoing. Recently it was found to contain a critical flaw, for which the manufacturer is no longer offering support on such devices.


Critical Flaw and Discontinued Support


A critical security flaw, rated 9.2 on the severity scale, was found in various editions of D-Link NAS devices. This flaw may allow attackers to remotely execute malevolent commands that would place sensitive data stored on these systems at risk. However, D-Link announced that it will not release a patch for this issue as these devices have reached EOL status. Users are instead advised to update to newer products in order to continue protection.


Tens of Thousands of Devices Vulnerable


Researchers have discovered more than 60,000 vulnerable devices worldwide. The affected models include DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Versions 1.01 and 1.02, and DNS-340L Version 1.08. While the above number of possible exploited devices is very large, so far only around 1,100 instances of exploitation were seen, according to a threat monitoring service called Shadowserver.


Active Exploitation Starts


Exploitation attempts for this vulnerability, tracked as CVE-2024-10914, were first sighted on November 12. According to the researchers at Shadowserver, attackers are taking advantage of a command injection vulnerability on the "/cgi-bin/account_mgr.cgi" endpoint of the affected devices. Though the exploitation of this flaw is relatively complex, a public exploit available does increase the risk for its users.

Shadowserver makes a big point of pulling these types of devices off the internet as their EOL status signifies D-Link will not be putting out any further updates or releases on these devices.


Why NAS Devices Are Attractive


For centralizing data storage, NAS devices make it possible for quite a few users and devices to access and share files, let alone back them up. They are highly used in homes and businesses for reliability, ease of use, and scalability. However, due to their nature as data hubs, they are great targets for cybercriminals-these criminals typically try to steal, encrypt, or delete valuable information, and one of the most commonly used tools is through ransomware attacks.


What Users Should Do


Thereby, the owners of affected D-Link NAS devices are advised to replace them with the supported versions. Disconnecting the affected devices from the internet would be one of the immediate steps to reduce the exposure.


Furthermore, users should keep their systems up to date and implement robust security measures in place for protecting data. For this reason, cyber threats evolve very fast, and only a vigilant user can save the sensitive information.



QNAP NAS servers attacked by Checkmate ransomware

 

A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 

Objectives: 

The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.

New DeadBolt Ransomware Attacks Have Been Reported by QNAP

 

QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.

BotenaGo Botnet is Targeting Millions of Routers and IoT Devices

 

A new botnet malware called BotenaGo has been discovered in the wild. The malware has the capability to exploit millions of susceptible IoT (Internet of Things) products and routers.

Discovered by AT&T labs, BotenaGo is designed using the Go programming language, which has been gaining popularity of late. Threat actors are using it for making payloads that are harder to detect and reverse engineer. 

According to Bleeping Computer, BotenaGo is flagged by only six out of the 62 antivirus engines on VirusTotal, with some falsely identifying it as the Mirai botnet. 

The botnet incorporates 33 exploits for a variety of routers, modems, and NAS devices, with some notable examples given below: 

  • CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
  •  CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices 
  • CVE-2019-19824: Realtek SDK based routers 
  • CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices 
  • CVE-2020-10987: Tenda products 
  • CVE-2014-2321: ZTE modems 
  • CVE-2020-8958: Guangzhou 1GE ONU 

“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions,” reads the blog post published by AT&T. 

“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).” 

The new botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, and one that still returns nearly two million internet-facing devices on Shodan. Once installed, the malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP. Once a connection with information to that port is received, the bot will exploit each vulnerability on that IP address to gain access. 

Furthermore, the security researchers didn't discover an active C2 communication between BotenaGo and an actor-controlled server, these are possible scenarios hypothesized by the experts: 

1. The malware is part of a multi-stage modular malware attack, and it's not the one responsible for handling communications. 

2. BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets. 

3. The malware is still under development and was released in the wild accidentally.

Beware of Ongoing Brute-Force Attacks Against NAS Devices, QNAP Warns

 

Taiwanese firm, QNAP has warned its clients of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urged to strengthen their devices’ security by changing their passwords and default access port number, and disabling the admin account.

The company warned its customers by stating, “recently QNAP has received multiple user reports of hackers attempting to log into QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality. ”

If threat actor manages to guess the right password then they are able to secure full access of the targeted device, allowing them to exfiltrate confidential documents or install malware. If the hackers are unable to brute-force their way in, the NAS devices’ system logs will mark the attempts and log them with ‘Failed to login’ warning texts.

To protect their devices from ongoing attacks, customers have to enhance NAS security by changing the default access port number, implementing password rotation policies, and disabling the default admin account. Additionally, since the attack is only viable on Internet-facing NAS devices, QNAP recommends customers don’t display their devices on public networks.

Firstly, customers have to create a new system administrator account before disabling the admin account. If the administrator account on QNAP NAS devices is running on QTS 4.1.2 then the following steps will disable the default admin account:

• Go to Control Panel > Users and edit the ‘admin’ account profile.
 
• Tick the ‘Disable this account’ option and select ‘OK’.

Additionally, customers can also configure the NAS device to automatically block IP addresses behind several numbers of troubled login attempts. QNAP has also published a checklist to secure their customers’ device and protect their data:

• Remove unknown or suspicious accounts from the device 

• Download QNAP MalwareRemover application through the App Center functionality 

• Change all passwords for all accounts on the device
 
• Set an access control list for the device (Control Panel > Security > Security level)