QNAP warns of new bug prompting worries of potential Deadbolt ransomware exploitation

Data-storage hardware vendor QNAP is warning customers to update their devices after the discovery of a vulnerability that exposes thousands to attacks. 

The company published an advisory this week about the bug — CVE-2022-27596 — which affects QNAP devices running proprietary QTS 5.0.1 and QuTS hero h5.0.1 software. The company has given the bug a CVSS score of 9.8 out of 10.  

“The vulnerability is not actively exploited now,” a spokesperson for QNAP told The Record.

Still, there is one big reason for QNAP hardware users to be highly vigilant: Thousands have been terrorized for more than a year by the Deadbolt ransomware gang, which has specifically targeted QNAP customers. 

The bug was discovered by a third-party researcher and reported through the company’s Security Bounty Program, the spokesperson said.

Several researchers, including some from security company Censys, expressed concern that QNAP has deemed the issue “a critical vulnerability with a low attack complexity, no authentication required, and it can be exploited remotely.”

“Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack,” Censys senior security researcher Mark Ellzey said. 

“We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to ‘h5.0.1.2248’ or QTS greater than or equal to ‘5.0.1.2234,’ meaning 29,968 hosts could be affected by this vulnerability.”

The country with the most vulnerable hosts was the United States, which had more than 3,200. Italy, Taiwan, Germany and Japan were not far behind. 

Deadbolt activity

Censys data shows that the Deadbolt group has infected more than 20,000 devices and collected about $200,000 from victims — many of whom use QNAP network-attached storage (NAS) devices to store treasured family photos, wedding videos and other personal files. The company also created a dashboard to track the number of victims around the world.

Since January, thousands of QNAP customers using the company’s NAS devices have reported being attacked by the DeadBolt ransomware group, which demands a ransom of 0.03 Bitcoin ($1,100) for the decryption key.

After the initial attacks affected about 3,600 devices in January 2022, the group continued to resurface with campaigns in March, May and June this year. Reddit and other message boards have been flooded with customers lamenting the loss of files that included family photo albums, wedding videos and more. Dozens of users took to Reddit to complain that they were among those attacked in the most recent campaign. 

In a note to QNAP, the hackers demanded 5 Bitcoin ($93,900) to reveal details about the alleged zero-day vulnerabilities they initially used to attack its users and another 50 Bitcoin ($939,000) to release a master decryption key that would unlock all of the victims’ files. 

Security company Emsisoft released its own version of a DeadBolt decryptor after several victims reported having issues with the one they received in exchange for paying a ransom. 

However, it only works with a decryption key supplied by the operators of the DeadBolt ransomware through a ransom payment.QNAP has previously warned of different ransomware strains being used to target their users, including the Checkmate ransomware and the ech0raix ransomware.

Article Link: QNAP warns of new bug prompting worries of potential Deadbolt ransomware exploitation