So, they're going after NASes now
I have a Synoloy DS414j.
I've checked my IP address on Shodan.io and I am not visible.
My NAS unit is up to date.
Do I have to worry ?
QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions. The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the …
Don't know about your NAS, but unless you need it to be online I'd take it off the web. My QNAP's firewalled in both directions and I do updates manually. I don't know if they're going after QNAP because they are popular or because their software is vulnerable, but many posters on the QNAP boards are pretty critical of QNAP's OS. If I'd bought this as an online server I'd be pretty annoyed and QNAP don't make things easy for users. The advice to shut down unused apps and services is good, but it would be even better if I could just delete them permanently to stop them running in the first place; this is difficult (often requires Terminal access - you can't just delete them from the web UI) and then they just come back with the next update.
Qnap, Asustor, etc... vulnerabilities have been made worse by making it far to easy to publish services, pointing fingers at them using uPnP and not really warning users "Are you sure you want your management UI available to everyone on the internet". Users who hadn't thought about security, only the features advertised are mostly affected (Which includes a friend of mine who I then had to ask what exactly he wanted, why do you want this and realising he only wanted Plex available, nothing else). I've had 2 minor issues with firmware updates so I let them automatically update.
Just because it can have features accessible from anywhere doesn't mean you should use it.
Also if you was to lose your data, can you live with that (I personally use my Qnap nas as a my backup and media server, it then replicates to an online service so in theory I have 2 backups as long as I check and make sure they are working).
I own a QNAP TS473 configured as a RAID 10 12TB storage unit. I can't imagine exposing one of these NAS's directly to the web. I have seen nothing on it that would make me think it's hardened in any way despite it running McAfee & QNAP's Malware Remover. When I need to access it remotely, I VPN into the Pepwave Balance 20X that it's behind. I also have all of the IoT crap (including TV's, Roku's & Tivo's ) on a separate VLAN from the NAS, computers & printers, as I assume that IoT junk is the most likely route for something bad to get past the Balance's firewall on it's own since that crap is constantly chattering with the manufacturer's servers. But expose a QNAP NAS directly to the web, yikes no.
Not sure what his issue is. What I left out was that the "separate VLANs" which are uniquely assigned to specific ports on the router run on separate physical Ethernet wiring which also connect to completely independent mesh WiFi network hardware (one set of hardware for each VLAN) with independent encryption keys. (The router's built-in WiFi isn't used.) So units on a given VLAN can't see packets from another VLAN even if their interfaces were in promiscuous mode & they were running packet sniffing software. (i.e. I don't rely on the VLAN packet tags for security over a common network. They are used by the router itself for it's own internal use sorting packets between the Internet & specific physical Ethernet ports connected to VLAN specific physical wiring to which that VLAN's unique WiFi hardware connects.) If the Pepwave router itself gets compromised, it's all over anyway, which is true no matter what.
My original point is that I would not let a QNAP be exposed directly to the Internet. Too much of a black box.
If it's your backup drive, it might still need to work for mobile devices. VPN isn't always a practical solution because it's difficult to make multiple VPN connections coexist.
Also, VPN is as good of an intrusion vector as anything else. There's no getting around the labor needed to keep remote access safe.
Some of these units are aimed straight at the enterprise and *should* be secured to a reasonable level as the operator will know the product.
Many are SOHO grade and not so rigorously maintained as the maintainer is "going with the flow" which really lays security in the lap of QNAP, Synology or whoever.
I asked a question in a forum which was basically "can I restrict this app's access to a specific IP range?" The helpful answer from the senior community "font of all knowledge" was
"Is your NAS open to the internet?"
"Well, I don't think so. But I've got some seemingly 'required system apps' with all the services they require running in the background and I have no idea what they access."
"Why are you worrying about it then?"
Unfortunately that's the "high level" security support most ordinary users are faced with. Even when something is presented on a plate, instead of suggesting shutting everything by default then opening access as required "they" believe one door, possibly shut, possibly locked, possibly with the key still hanging in the lock is enough.