Just so we can all understand the attack vector, this is my understanding:
- QNAP fixed some SQL/Command injection vulnerabilities in February in the QTS firmware, Multimedia Console and Media Streaming Add-On but this wasn't mentioned in the update notes for those versions
- On April 16 they released a Security Advisory telling people about this issue and that people needed these versions from February to be secure. One for the apps and one for the firmware.
- Also on April 16 they released an update fixing injection vulnerabilities as well as a hard-coded credential issue in HBS 3 Hydrid Backup Sync but did not mention this anywhere outside the update notes
Perhaps the vulnerabilities were fixed in February and they chose not to mention them for a couple of months to avoid alerting bad actors until most people would have updated to secure versions. They didn't do the same with HBS 3 though, which is an application that would run on your NAS whether you'd ever opened it and set anything up in it or not. In fact you could say they instead did the following on April 16:
"Hey Bad Guys, there's an injection vulnerability in older firmware and Multimedia Console which we don't let people uninstall. We fixed these a couple of months ago, but if you check the update notes for HBS 3 which we only just fixed today, you'll see it has the same or similar issues and we haven't told anyone about it outside of those update notes. Enjoy!"
QNAP claim the hard-coded credentials in HBS 3 haven't been used, but point to the SQL Injection issue in the older firmware and Multimedia Console as the problem. Many, myself included, had these up to date at the time of the attack, but not the April 16 update of HBS 3. They
did say to update HBS 3 afterwards in response to this attack, but still never released a Security Advisory about its injection issue. After the ransomware had started they
put one out about the hard-coded credentials issue, but left out the injection issue.
I'm happy to be proven incorrect about any of this.