[Update] Active Exploitation of QNAP Network Attached Storage (NAS) by Ransomware

Published on 24 Apr 2021

Updated on 14 Jun 2021

SingCERT has received several reports of ransomware attacks on unpatched QNAP devices.

QNAP Systems (QNAP) issued a security advisory in Apr 2021 to address two critical vulnerabilities affecting QNAP NAS. Cyber criminals have actively exploited these vulnerabilities to deploy ransomware. 

The vulnerabilities are:

  • CVE-2020-36195: SQL injection vulnerability in Multimedia Console and the Media Streaming Add-On may allow a remote attacker to obtain application information
  • CVE-2021-28799: An improper authorisation vulnerability that affects QNAP NAS running HBS 3 Hybrid Backup Sync, which may allow a remote attackers to access the device

Administrators and users of affected products should update to the latest version immediately. QNAP administrators should also disable Secure Shell (SSH) and Telnet services if these are not necessary and avoid using default ports 443 and 8080 to access NAS. Instructions on how to modify the ports can be found here: https://www.qnap.com/en/how-to/faq/article/what-is-the-best-practice-for-enhancing-nas-security.

Users should also update to a strong password of at least 12 characters which includes upper case, lower case, numbers and special characters. QNAP users should also maintain updated and offline backups of their critical data for system restoration in the event of a ransomware attack.

If the QNAP NAS is infected with ransomware, do not shut down the device and take the following steps:

  • Disconnect it from the network (i.e. unplug the network cable)
  • Scan with the latest Malware Remover download from QNAP website immediately and contact QNAP Technical Support at https://service.qnap.com/
  • Unaffected users are also recommended to install the latest Malware Remover version and run a malware scan as a precautionary measure

More information is available here: