[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application

[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application

Critical access control bug discovered by security researcher tracked as CVE-2021-28809, found in QNAP’s disaster recovery or data backup solution application.

A Taiwan-based organization QNAP, network-attached storage (NAS) addressed this security bug that assists the attackers to infect vulnerable NAS security devices. 

Critical Bug Found Out in NAS Backup Disaster Recovery Application

This entire vulnerability is executed with the help of a buggy application, which is not capable to revoke unauthorized access and permits the attackers to runs malicious commands, establish remote code or escalate privileges while reading the confidential data without the user authorization.

According to the organization QNAP, the vulnerability is fixed in the following version of HBS and the organization also advised the users to update the application and install the latest published versions listed below;

  • QTS 4.3.6: HBS 3 v3.0.21507 and later
  • QTS 4.3.4: HBS 3 v3.0.21506 and later
  • QTS 4.3.3: HBS 3 v3.0.21506 and later

Whereas, the organization also released the security advisory that indicated the bug which was tracked as CVE-2021-28809 is fixed and they published some points that were not listed in any security update before 14th May 2021.

As per the QNAP NAS, the devices that executed QTS 4.5.x with HBS 3 v16.x are still not affected by the security flaw and are not exposed by these types of attacks.

Another Backdoor that Exploits Qlocker Ransomware

The organization also fixed another high-vulnerable security bug found in April in HBS3 Hybrid Backup and Disaster Recovery application.

This backdoor bug is categorized by the organization as Hardcoded Credentials and after some time it is known for Improper Authorization. The backdoor also permits the Qlocker ransomware to encrypt Internet exposed NAS devices.

On 19th April, Qlocker starts targeting the QNAP devices that linked with tremendous campaigns that deploy the ransomware payloads and transfer the user’s protected files and demand ransoms.

According to the report, the ransomware gang makes around $260,000 only in 5 days by taking the ransomware in bitcoins which is 0.01 bitcoin. After that, the organization aware its users secure their NAS devices from these Agelocker ransomware attacks that steal their confidential data and also from the echo rain ransomware campaign attacks. 

The echo rain ransomware attacked the QNAP devices between June 2019 and June 2020. The users are required to secure their devices from these attacks by following the best methods to improve the security.

Leave a Reply