- A user gets fooled into clicking on a link that brings down the payload.
- Ports are opened on a basic firewall (i.e., not a WAP), allowing the attacked to use methods like SQL injection.
This particular Qlocker attack appears to result from open firewall ports allowing SQL injection to occur. https://threatpost.com/qnap-nas-devices ... ck/165165/
To a large degree, this is QNAP's fault; the features on their NAS advertise hosting numerous types of web services. Because of this, we can confidently assert the following:
- QNAP should make sure out of the box; least privilege is the default security posture.
- QNAP should be following OWASP secure coding best practices. https://owasp.org/www-project-secure-co ... ed_content
- QNAP did not adequately run proper vulnerability scans or do dynamic or static code analysis before release. (SQL injection is an easy-to-find exploit).
- Web Application Firewall (WAF)
- Endpoint Detection & Response (EDR) - NOT just hueristic antivirus, sorry ClamAV doesn't cut it
- Data Leak Prevention (DLP)
- Enterprise Vulnerability Management (EVM)
- Security Orchestration, Automation, and Response (SOAR)
That is a partial list; unless you can put protections like that in place, you are at risk and running in a highly reactive mode to threats. All that said, I patched my QNAP and locked it down hard despite the fact I don't have a port open on my home firewall.