[SECURITY ADVISORY] DeadBolt Ransomware

[Toxic17]

Discussion of the Ransomware Deadbolt is here: viewtopic.php?f=45&t=164797

Release date: September 3, 2022
Security ID: QSA-22-24
Severity: Critical
CVE identifier: CVE-2022-27593
Affected products: Certain QNAP NAS running Photo Station with internet exposure
Status: Resolved

Summary
QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure.
 
We have already fixed the vulnerability in the following versions: 

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

 
Recommendation
To protect your NAS from the DeadBolt ransomware, QNAP strongly recommends securing your QNAP NAS devices and routers by following these instructions: 

1. Disable the port forwarding function on the router.
2. Set up myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the internet.
3. Update the NAS firmware to the latest version.
4. Update all applications on the NAS to their latest versions.
5. Apply strong passwords for all user accounts on the NAS.
6. Take snapshots and back up regularly to protect your data.

 
Setting Up myQNAPcloud on the NAS

1. Log on to QTS as an administrator.
2. Open myQNAPcloud.
3. Disable UPnP port forwarding.
   1. Go to Auto Router Configuration.
   2. Deselect Enable UPnP Port forwarding.
4. Enable DDNS.
   1. Go to My DDNS.
   2. Click the toggle button to enable My DDNS.
5. Do not publish your NAS services.
   1. Go to Published Services.
   2. Deselect all items under Publish.
   3. Click Apply.
6. Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL.
   1. Go to myQNAPcloud Link.
   2. Click Install to install myQNAPcloud Link on your NAS.
   3. Click the toggle button to enable myQNAPcloud Link.
7. Restrict which users can remotely access your NAS via the SmartURL.
   1. Go to Access Control.
   2. Next to Device access controls, select Private or Customized.
      Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL.
   3. If you selected Customized, click Add and specify a QNAP ID to invite the user.
8. Obtain the SmartURL by going to Overview.
   For questions on using myQNAPcloud, visit https://support.myqnapcloud.com/.

 

Updating QTS

1. Log on to QTS as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.
   Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

 

Updating All Applications

1. Log on to QTS as an administrator.
2. Open App Center.
3. Locate Install Updates in the top-right corner of the window.
4. Click All.
   A confirmation message appears.
5. Click OK.
   QTS installs the latest versions of all applications.

 

Updating Photo Station

1. Log on to QTS as administrator.
2. Open the App Center and then click  .
   A search box appears.
3. Enter "Photo Station".
   Photo Station appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your version is already up to date.
5. Click OK.
   The application is updated.

 
Revision History: 
V1.0 (September 3, 2022) - Published
V1.1 (September 8, 2022) - Assign CVE ID

Source: https://www.qnap.com/en-uk/security-advisory/qsa-22-24