Taiwanese hardware vendor QNAP has shut down a server used in a major brute-force hacking operation against Internet-exposed Network Attached Storage (NAS) instances.
In a press release published on QNAP’s website, the company said it partnered with Digital Ocean in a two-day operation to jointly take down a malicious server that acted as a command and control center (C2) that managed a botnet of infected devices.
“The QNAP Product Security Incident Response Team (QNAP PSIRT) took swift action by successfully blocking hundreds of zombie network IPs via QuFirewall within 7 hours, effectively protecting countless Internet-exposed QNAP NAS devices from further attacks,” it said press release. “Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, working with cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further.”
Mitigation steps
QNAP says there are things IT administrators can do to protect their endpoints, and suggests changing the default access port number, disabling port forwarding on the routers and UPnP on the NAS, setting a stronger password, and ensuring that it password is updated regularly.
The company also “strongly” recommended these steps:
Disable the “admin” account
Set strong passwords for all user accounts and avoid using weak passwords
Update the QNAP NAS firmware and apps to the latest versions
Install and enable the QuFirewall application
Use myQNAPcloud Link relay service to prevent your NAS from being exposed to the Internet. If there are bandwidth requirements or specific applications require port forwarding, you should avoid using the standard ports 8080 and 443.
More information on how to do these things can be found in the manual here.
QNAP’s NAS devices are a popular target among cybercriminals as they can often be easily compromised and later used in ransomware attacks. BleepingComputer remembers.
Through BleepingComputer