Pierluigi Paganini July 06, 2021

Taiwanese vendor QNAP addressed a critical flaw, tracked as CVE-2021-28809, that could be exploited to compromise vulnerable NAS devices.

Taiwanese vendor QNAP fixed a critical vulnerability, tracked as CVE-2021-28809, that could be exploited by attackers to compromise vulnerable NAS devices.

The vulnerability affects certain legacy versions of HBS 3 Hybrid Backup Sync, it was reported to the vendor by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs.

“An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3 (Hybrid Backup Sync). If exploited, this vulnerability allows attackers to compromise the security of the operating system.” states the security advisory published by the company.

The vendor addressed the flaw in the following versions of HBS 3:

• QTS 4.3.6: HBS 3 v3.0.210507 and later
• QTS 4.3.4: HBS 3 v3.0.210506 and later
• QTS 4.3.3: HBS 3 v3.0.210506 and later

QNAP devices running QTS 4.5.x with HBS 3 v16.x are not affected.

In May, the Taiwanese vendor warned its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

At the end of April, experts warned of a new strain of ransomware named Qlocker that was infecting hundreds of QNAP NAS devices on daily bases.

The threat actors behind the attacks are exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device

“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.

The attacks were first spotted on April 20, and the number of infections has skyrocketed into the hundreds per day, according to statistics provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware.

In May, QNAP also warned customers of threat actors that were targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware and exploiting a Roon Server zero-day vulnerability.

Early May, the Taiwanese vendor warned its customers of

Last week, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

Early this month, the Taiwanese vendor warned its customers of an ongoing wave of AgeLocker ransomware attacks on their NAS devices

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]