Hot potato: QNAP has issued a security statement urging its NAS users to take immediate action to protect their data from ongoing ransomware and brute force attacks. Although the responsible parties have not been identified, widespread attacks appear to target any vulnerable network device. The company has provided security configuration instructions and mitigation measures that must be followed immediately by all QNAP NAS users.
A safety statement released by memory provider on Friday released a very clear instruction for QNAP NAS users to take immediate action to protect their network devices or disable them. Attacks that appear to target any network device with Internet access pose the greatest risk to Internet-connected devices with little or no protection.
QNAP users with the ability to access and secure their devices can check if their device is connected to the Internet with the QNAP Security Advisor. According to the company, a user’s NAS is at risk and is at high risk if the Security Counselor console displays a result that says, “The system administration service can be directly accessed from an external IP address …”.
In case the user’s NAS is connected to the Internet, the QNAP Security Statement provides instructions to determine which ports are open and how to disable port forwarding on the user’s router and UPnP on the NAS.
Port forwarding, also known as port mapping, redirects requests from a source address and port to a different address and port. Port forwarding is no longer considered a serious risk by some users and administrators, as the software firewalls that ship with most modern operating systems can provide adequate protection when properly configured.
However, QNAP specifically stated that enabling port forwarding, UPnP, or demilitarized zone (DMZ) may cause the NAS to directly connect to the Internet, leaving the device vulnerable to attacks. It is recommended that the NAS remain behind a user’s router and firewall without a public IP address.
NAS users who do not have access to or are familiar with the Security Counselor console still have the final nuclear option – to simply unplug the device, cutting off any potential communication with the outside world. While this may sound radical, the fact remains that attackers scanning vulnerable targets cannot hit what they cannot see.
Image Credit: Michael Geiger