As the old saying goes, “You don’t know what you don’t know” and this is all too true when it comes to security updates and patches to applications, systems, and devices. This is the reality facing the owners of roughly 29,000 unpatched QNAP network-attached storage (NAS) devices as a new ransomware is making its way through the internet and exploiting these vulnerable pieces of equipment.
Ransomware is one of the most profitable types of malware out there, as these malicious programs demand money from their victims to restore unfettered access to their data. In the case of the QNAP devices, the attackers are targeting a vulnerability in the Linux-based QTS software. Exploiting this vulnerability allows the attacker access to the NAS device, allowing them to encrypt files, manipulate files and even delete them.
The vulnerability in QTS, known as CVE-2020-2509, was detected as far back as April 2020 and is applicable to any NAS device running QTS 4.3.6 or earlier. Despite the fact that it has been around for months, many owners of QNAP devices have not updated the software on their devices, leaving them vulnerable to attack.
This is especially concerning given the fact that the NAS devices are used to store a wide variety of data, ranging from personal and financial documents to company data. Without applying the proper security updates and patches, these devices become an easy target for malicious actors looking to extort money.
Fortunately, QNAP has released a patch for the vulnerability. The company is also actively trying to alert users that have potentially vulnerable devices as well as providing steps to update the device to the latest version of the software. However, with tens of thousands of vulnerable devices still out there, it’s critical for owners to take proactive measures and make sure their equipment is properly protected.
In summary, it’s essential for anyone with a QNAP NAS device to update their software to the latest version. Otherwise, their data are at significant risk of being exploited by those looking to take advantage of any available vulnerabilities.