Unpatched QNAP NAS devices vulnerable to AgeLocker ransomware attacks

Not long after NCSC warned organisations, that use NAS devices supplied by QNAP, about hackers using the QSnatch malware to compromise their networks, the firm has warned users about the AgeLocker Ransomware that hackers are using to encrypt stored files.

In July, the National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned users of QNAP NAS devices to update their devices with the latest security fixes to prevent hackers from using the QSnatch malware to compromise their networks.

The QSnatch malware was first used between 2014 and mid-2017 to target QNAP NAS devices and then again between late 2018 and late 2019- with the two campaigns distinguished only by the initial payload used and malware capabilities.

The second campaign, which the two agencies believe has now ended, infected a large number of QNAP NAS devices in the United States and Europe- so much so that by mid-June, there were as many as 62,000 infected devices worldwide, out of which 3,900 were in the UK and 7,600 were in the U.S.

As per the advisory, QSnatch is injected into a targeted NAS device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA) to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications using an HTTP GET request.

In response to the second wave of QSnatch malware attacks, QNAP revealed new firmware security updates in November last year that included new features such as Malware Remover and Security Counselor. These two features are supported by QTS 4.2 and later and QTS 4.3.5 and later respectively, indicating that organisations must immediately replace QNAP NAS devices that run OS versions older than QTS 4.2 to continue to enjoy security support.

Last Friday, QNAP, which is headquartered in Taiwan and is a leading provider of IT infrastructure applications for advanced computing, networking, and data storage, revealed in a security advisory that cyber criminals are now using the AgeLocker Ransomware to target QNAP NAS, Linux, and macOS devices.

"This new ransomware attempts to encrypt the files of victims by using the “Age” encryption tool. QNAP Product Security Incident Response Team (PSIRT) has found evidence that the ransomware may attack earlier versions of Photo Station. We are thoroughly investigating the case and will release more information as soon as possible," the firm said.

"To secure your device and to protect your data from malicious ransomware attacks and unauthorized access, we strongly recommend updating QTS and all installed applications to their latest versions to benefit from vulnerability fixes," it added.

QNAP's latest security advisory concerning the threat posed by the AgeLocker ransomware has been included by the National Cyber Security Centre in its latest weekly threat report to warn organisations about the new threat to NAS devices attached to their enterprise networks.

Considering that the QSnatch malware targeted Network Attached Storage (NAS) devices that ran OS versions older than QTS 4.2 and successfully compromised over 62,000 NAS devices worldwide, it is possible that hackers are now using the AgeLocker Ransomware to target organisations that have not updated their NAS devices with the latest security patches.

According to security firm Trend Micro, QNAP NAS devices such as QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B are also vulnerable to the eCh0raix ransomware that is capable of encrypting documents and text files, PDFs, archives and databases, and multimedia files among others.

eCh0raix has been specially designed to terminate itself if it determines an affected NAS device's location as Belarus, Ukraine, and Russia, indicating that its creators may hail from any of these countries. After gaining access to enterprise networks vis infected NAS devices and encrypting stored files, hackers using the eCh0raix ransomware demand a ransom of 0.05 – 0.06 bitcoin paid via a site hosted in Tor, in exchange for the decryption key.

According to Trend Micro, cyber criminals are using the eCh0raix ransomware to great effect against thousands of QNAP NAS devices that aren’t usually safeguarded with anti-malware solutions and feature weak credentials or vulnerabilities. Researchers have observed thousands of web-facing NAS devices that are publicly accessible which further enhances their vulnerability to cyber criminals.

ALSO READ: Western Digital didn’t patch critical flaws in My Cloud NAS devices for 6 months

MORE ABOUT: