Network Attached Storage (NAS) Vendors Like QNAP Face Threats of Device Takeover

• In May 2020, several vulnerabilities were identified in the firmware of QNAP network-attached storage (NAS) devices. These vulnerabilities affect around 450,000 devices, which is approx 80% of all the devices available in the market.
• Three of the vulnerabilities (CVE-2019-7192, CVE-2019-7194, and CVE-2019-7195) exist in the Photo Station photo album app that comes preinstalled with the recently sold device models. The fourth one (CVE-2019-7193) exists in the QTS file manager app.
• All these vulnerabilities can allow an attacker to perform remote-takeover attacks.
• All the four vulnerabilities have since been patched by the vendor, QNAP Systems, Inc.

Other threats on QNAP NAS devices

• In October 2019, thousands of QNAP NAS devices were found infected with a malware dubbed QSnatch. This malware targeted the firmware and could steal the credentials and load malicious code retrieved from its command and control (C2) servers.
• In July 2019, ransomware dubbed eCh0raix was found in the wild, targeting documents on consumer and enterprise QNAP Network Attached Storage (NAS) devices.

Threats to other NAS device vendors

• In March 2020, a new variant of Mirai malware dubbed Mukashi was found targeting a critical vulnerability (CVE-2020-9054) in Zyxel NAS devices, exploiting them to rope the machines into an Internet of Things (IoT) botnet.
• In July 2019, some attackers targeted Synology Inc. networks to steal device admin credentials using brute-force attacks and infect few of the devices with ransomware. The company had to warn its users to change all NAS device passwords.

Security tips