Let’s discuss a vulnerability that was used against a very unusual target (at least in comparison to the ones we normally wrote about). We probably talk more often about vulnerabilities that impact big targets, but today we are gonna cover one that’s going to balance that statistic.
Now imagine this scenario: You work as a cyber security expert in a big corporation. You’ve gone mad because of a colleague who’s clicked on a link in a suspicious email for the 4th time this year and because of Microsoft who seemingly can’t keep their zero days in check. You’ve spent the last 12 hours in the office waiting for security patches to install and can’t wait to go home and look at the photos of your dog when he was just a pup.
Or even worse: Imagine you work as a photographer for a living. You’ve just caught a weekend free from snapping photos at weddings and whatnot, and you finally want to dedicate some time to open Photoshop, finish the work, and get paid.
Plot twist: You try to access your QNAP NAS (Network-Attached Storage) drive and see that your photos are inaccessible. All your family vacation photos, pet photos, and wedding photos have been encrypted by a DeadBolt ransomware and turned into some rather abstract art (gibberish).
Before: a photo of a cat. After: the artwork of Donald Judd (from a wider perspective). This has actually happened, and it’s because of CVE-2022-27593.
The Vulnerability
What gives this vulnerability a CVSS base score of 9.1, among other things, are the facts that it requires no user interaction and that it can be performed remotely, which often means you don’t get a fighting chance until it already hits you. There aren’t many details made public about this vulnerability, but the weakness that opened the door to DeadBolt ransomware, CWE-610 leaves us some room to speculate.
If we look at the weakness description, as well as the CVE-2022-27593 description, we can assume that the attacker has been able to somehow inject a reference to a file outside the directory that the access was supposed to be limited to. Having accomplished that, he was able to modify, upload and rewrite QTS system files with the modified ones, ultimately obtaining RCE (remote code execution) and installing ransomware.
Remediation
At this point, we’re probably all familiar with ransomware. They encrypt your data with a key familiar only to the attacker, after which he uses your locked data as leverage to extort money from you. Once your data is encrypted, in most cases there is nothing you can do except pay up. We can safely assume that somebody with sufficient skills to discover this vulnerability would unfortunately also be knowledgeable enough in the area of cryptography to use a decent algorithm that won’t be easily cracked.
Even if that’s not the case, brute forcing even the weakest encryptions (in terms of modern encryption standards) would still be an extremely time and resource-consuming task, requiring a lot of knowledge. For any remotely serious brute forcing, you would likely need to find a bunch of targets, exploit CVE-2022-33891, take control over hundreds, up to tens of thousands of Apache Spark farms, and employ them to your cause.
To your misfortune, with most modern encryptions, even that would be in vain, so don’t do anything silly.
Affected Configurations And Mitigation
To check if your QNAP NAS is affected, we recommend that you refer to QNAP’s security advisory, as the list is long and conditioned by both the Photo Station and QTS versions. As always, the best thing to do is install the updates that address this issue.
If you cannot do that or want to additionally secure your intellectual property, you can disconnect QNAP NAS from the internet by disabling port forwarding. If you rely heavily on accessing your photos remotely, there are a few workarounds for that:
- myQNAPcloud: This lets you access QNAP NAS stored photos from anywhere.
- Qsync: Allows for file synchronization between a computer and QNAP NAS, enabling access to stored photos.
- QVPN: Establishes a secure and private connection to a QNAP NAS, allowing for remote access to stored photos without port forwarding.
Bonus tip: If you are looking at the photos on your QNAP NAS and suddenly a certain photo or a set of photos won’t open or seem fragmented, it may be that they are being encrypted at that very moment. Most ransomware use FBE (File-Based Encryption), meaning that they lock files one by one, instead of piling them up in bulk and encrypting them at once
If this happens, we recommend you unplug your NAS and back up all your data directly from its drive without booting QTS, as it’s likely to be compromised and will probably continue encrypting more and more data until you have none left.
Last but not least, if you’ve found our article informative and helpful, feel free to subscribe to our blog.
Subscribe to be updated on the new content!