The encryption Trojan Deadbolt (“locking bolt”) exploits a vulnerability in the QNAP operating system QTS that has been known for two days. All QNAP network storage devices accessible from the Internet that have not yet been updated to the latest QTS version are at risk.
Get the threat under control by coercion
As already reported by heise online, QNAP has recommended that the operators of affected systems disable all port forwarding in the router for the time being if the scan by “Security Counselor” indicates accessibility via HTTP. Then you should immediately switch to the latest QTS version (5.0.0.1891 build 20211221).
Apparently, the owners of the devices carry out these countermeasures and updates too hesitantly or not at all in QNAP’s view, so that QNAP has now decided to forcibly install the update to the new version. Apparently, people were of the opinion that there was no other way of dealing with the threatening situation.
Friction losses – manual intervention necessary
As you can almost imagine, such a measure does not run completely smoothly with such a large user base: In some cases, for example, the iSCSI connection was temporarily disabled by the update and required manual intervention to be usable again.
More critical, however, are the cases of users whose NAS was already infected with Deadbolt and who had already paid the ransom. They reported that they lost data as a result of the coercive measure, because the update removed the key and the associated decryption software from the blackmailers without being asked, and ultimately triggered a restart. Anyone in this situation should therefore consider whether it would be better to separate the system from the Internet or at least block the connections to the QNAP update servers in the firewall while the decryption is running.
Manufacturer wants to stop attack as soon as possible
When asked about the dilemma that a forcedly rolled out update might do more harm than good in individual cases, a QNAP employee replied as follows: “I know that there are arguments in both directions as to whether we should do this or not. It is a difficult decision. But because of Deadbolt and our intention to stop this attack as soon as possible, we did it.”
One could say that QNAP was faced with a digital variant of the well-known trolley problem. The users affected by data loss will naturally judge differently whether the chosen approach was the right one than those for whom the update went smoothly and who are now protected from deadbolt.
(tw)