QNAP Vulnerability in QTS and QuTS hero - 20230403001¶
Overview¶
There appears to be several QNAP vulnerabilities including Vulnerability in QTS and QuTS hero being exploited at the moment resulting in them being utilised as infrastructure for successful Adversary In The Middle attacks with valid certificates pushed by the qcloud remote NAS management service.
What is vulnerable?¶
A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.
QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.
What has been observed?¶
The WASOC has observed active exploitation of this vulnerabilty of the QNAP Device being utilised as infrastructure for successful Adversary In The Middle attacks with valid certificates pushed by the qcloud remote NAS management service.
Please keep an eye out for users interacting with qcloud domains from enterprise accounts and/or devices, at this point that would be anything ending in *.myqcloud.com
Resources¶
Indicators¶
havenhgaz-my[.]sharepoint[.]com/:o:/g/personal/tpost_hgmgt_com/ElWf532iYtNLoY5B10lBdC0BHXEK8tKp62xzGSZJwo0e-A?e=9DgRtqkatielheureux-1316850103[.]cos[.]sa-saopaulo[.]myqcloud[.]com/katielheureux[.]html
KQL¶
List of recipients receiving a malicious Emails (by URL Link)¶
Lists DNS queries to a URL link¶
List of users accessing a URL link¶
Recommendation¶
Updating QTS or QuTS hero¶
- Log in to QTS or QuTS hero as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
- QTS or QuTS hero downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.