Download Backing Your Backup: Defending NAS Devices Against Evolving Threats
By Stephen Hilt and Fernando Mercês
As access to data and information evolves, cybercriminals also change their techniques and targets. As a result of evolving levels of sophistication targeting the internet of things (IoT), users and businesses now rely on network-attached storage (NAS) devices to store and back-up their files and ensure continuous workflow connectivity for power users. More recently, a growing number of cybercriminals have been pivoting their attention to NAS devices because of the amount of valuable information stored inside them and the optional security measures that they offer.
Here are some of the threats that target users’ and businesses’ NAS devices based on recently documented attack scenarios:
Ransomware NAS devices are vulnerable and can fall prey to both traditional and modern ransomware types alike. The most notable routines that we observed in recent months were those for Qlocker, REvil, eCh0raix, and DarkSide. Each ransomware family, not to mention each variant, explores potential entry points via vulnerabilities and configurations in its Linux-based platforms, which is suggestive of how NAS devices can be included in the damaging business models that these ransomware groups use for profit increase.
Botnets Botnet infections and attacks have run rampant in IoT devices since 2016, mainly due to botnets’ capability to spread infections to as many hosts as possible, all in the name of helping cybercriminals achieve their many aims, such as launching distributed denial-of-service (DDoS) attacks. NAS devices are ideal targets due to the minimal security defenses and protection installed in them, which are not enough once attackers have compromised one. Moreover, even older malware types and infections can remain undetected in these IoT devices for years due to lack of patching, further increasing the risks for NAS users due to the number of potential illicit use in addition to DDoS, such as information theft and proxy networks. We elaborate on this threat in our paper by using StealthWorker as an example.
Cryptomining NAS devices remain vulnerable to illicit cryptocurrency-mining attacks and threats due to security issues in the devices’ software versions and the lack of implemented updates. Cryptominers can brute-force secure socket shell (SSH) credentials and gain access into a system, thereby affecting its performance and life span. While others might consider it merely an annoyance that coinminers such as UnityMiner and Dovecat use their NAS resources, these miners are actually a symptom of a bigger security concern and can be used for more malicious activities.
Highly targeted attacks As a backup storage device, NAS devices are repositories of valuable information and can also be targets of advanced persistent threats (APTs) such as QSnatch (aka Derek), a malware family specifically focuses on QNAP NAS devices. Despite its first campaign in 2014 and documented reports that merely suggest updates in 2018 and 2020, over 60,000 NAS devices have still been observed as infected by the malware. QSnatch, with its features of persistence and detection evasion, has a high level of sophistication and is likely used as a form of weapon for cyberespionage.
NAS devices are vital storage and backup tools that have become essential to ensuring businesses’ continuous operations and running consumers’ modern homes smoothly. Because of this, cybercriminals will continue to explore the attack and potential abuse scenarios of NAS devices as a starting point for more damaging attacks. As users depend increasingly on these connected devices, security teams and researchers must keep track of the escalation of threats and attacks by implementing and reinforcing security measures for these systems.