How to Defend Against Deadbolt Ransomware Attacks On NAS Devices
The Deadbolt ransomware was used by hackers to exploit vulnerabilities in NAS devices and hold organizations to ransom. Here’s how they do it and how to defend against such attacks.
Quick and easy network device installation is seldom a good way to manage risk. Users of popular network storage devices realize that enabling direct internet access to their classified information, the information needed for business operation, is never a good idea, as Deadbolt so ably demonstrates.
Deadbolt, a ransomware iteration that appeared in January 2022, primarily targets the NAS products of the Taiwanese company QNAP (Quality Network Appliance Provider), likely because it has about 53% of the market share of the targeted systems. While ASUSTOR NAS devices have also been attacked, this article focuses on the primary target.
While this is a look at a specific set of besieged devices, what we review here contains lessons for implementing critical information assets, including IoT and IIoT devices.
See More: How to Defend Against Ryuk Ransomware’s New Worm-Like Capabilities
What is a QNAP NAS?
QNAP NAS (Network Attached Storage) devices for small/home offices, small businesses, and some medium businesses are relatively inexpensive, easy to set up, and often easily accessible by threat actors. While storage area networks (SANs) house an organization’s databases, NAS storage contains Word documents, Excel spreadsheets, and other files holding data across multiple classifications.
Paul Ducklin writes that these NAS boxes are “… miniature, preconfigured servers, usually running Linux.” For a small or home business installing a QNAP NAS, the customer just plugs it into her router, and UPnP enables effortless connection and availability. Larger organizations might require more sophisticated configuration for wired access, but this quick and easy implementation approach can be an easy path for gaining initial internet access to NAS devices.
External Facing UPnP Challenges
UPnP, also known by many security professionals and threat actors as universal PWN and play, is a set of protocols that allows any device on a network to discover any other device, enabling the establishment of sessions with those devices without any inherent authentication capability.
The intent behind UPnP was originally to provide home and home office users with an easy way to connect new devices to their internal networks. It was never intended to be used in an enterprise network environment, nor should it have ever been used to enable remote access.
What makes QNAP NAS devices easy to set up is the presence of enabled UPnP on the network router and the devices to be connected. The router uses UPnP to identify available UPnP-enabled devices and add them to its port-forwarding capabilities. A crucial point to remember; if a threat actor can talk to a device via UPnP, they can possibly use all identified services or reconfigure device settings.
Once a device is known to a router, the router configures port mapping for the device’s offered services. When UPnP port forwarding is enabled on a wireless router, as in Figure 2, any external entity sending a session request to the public-facing router interface, with a port number of 55536, is forwarded to the QNAP NAS at 192.168.1.32. In effect, the NAS is directly connected to the internet, along with any known or unknown misconfiguration and coding vulnerabilities.
See More: Why RagnarLocker Remains a Significant Threat to Critical Infrastructure
The QNAP Attack
Once threat actors gain access to the QNAP device, they leverage resident software and service vulnerabilities to install and execute their ransomware package. Over the past year, they have used different vulnerabilities that QNAP quickly patched. The most recent attack on September 22 exploited an unknown vulnerability in Photo Station that QNAP fixed within about 12 hours.
The problem is not just with UPnP. It is also with the practice of exposing internal network devices to the public internet in any way.
Stephen Hilt, Éireann Leverett, and Fernando Mercês of Trend Micro provide a good walk-through of how Deadbolt infected vulnerable QNAP devices in June 2022. The attack path was the same in September, with a different software vulnerability leveraged. Hilt et al. provide the following high-altitude view:
- Deadbolt uses a configuration file that dynamically chooses specific settings based on the vendor it targets, making it highly adaptable to new campaigns across multiple vendors.
- The threat actors used two payment methods; a victim pays for a decryption key, or the NAS vendor pays for a decryption master key, a master key that supposedly decrypts all affected customer NAS devices. So far, neither QNAP nor ASUSTOR has purchased a master key priced at over $1 million.
- The key to decrypt an individual customer’s device is about $1,200, a ransom less than 10% of victims have chosen to pay.
There is an interesting thread on Reddit in which affected users discuss how they paid for the keys for the June 2022 attack and how that worked. It is also apparent that one of the fixes QNAP made to their systems broke the use of the decryption keys provided after June payments. However, QNAP offers detailed instructions for dealing with this problem, instructions that are not for the uninitiated. Keys for the September attacks might not be affected.
Playing Defense
Defense starts with not exposing storage devices to the public internet. This is an essential security requirement most users do not know about, or if they do, they are unaware that they opened a gaping hole in the perimeter wall. In the case of QNAP services, QNAP provides secure configuration advice, including shutting down port forwarding. But customers have to want to pay attention to vendor security advice.
QNAP provides a cloud service, myQNAPcloud, that provides a secure way to access their NAS solutions, including an easy way to configure routers for external access, least privilege management, and provisioning of multi-factor authentication. The most secure element of this configuration is removing direct public internet access to all of a customer’s NAS devices.
Setting up myQNAPcloud is a critical element of QNAP’s recommended approach to securing NAS access:
- Disable port forwarding on the router
- Set up myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the public internet
- Update the NAS firmware to the latest version [while ensuring reasonable and appropriate supply chain risk management]
- Update all applications on the NAS to their latest versions
- Apply strong authentication for all NAS user accounts
- Take snapshots and back up regularly to protect your data
Another safeguard I would add to this list is changing the default port numbers for NAS services. This will not reduce risk significantly, but it is easy to do and will add frustration to threat actor efforts.
Final thoughts
This is a story of what happens when storage is made available directly to the public internet via a high-risk method such as port forwarding. Port forwarding has value, but it should never allow direct access to data.
Organizations and individuals should always have a layer of defense between the data storage and those who want to access it, whether from the internal network or remotely. Applications that enforce least privilege, strong authentication, logging, and monitoring are the best way to build this layer. If a NAS or other storage provider has one, use it. If they do not, build one. If neither of these is an option, look for another vendor.
Let us know if you enjoyed reading this article on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON NAS DEVICES
