Batten Down the Hatches, Hackers Are Coming for Your NAS

Ransomware has been thriving in 2019, with hardly a week going by where we don’t hear about a new high-profile attack in the press. What receives less attention is how these attacks affect small and medium-sized businesses, but I think it’s safe to say that while big business and government attacks naturally get attention, small businesses are also fair game as they are less able to protect themselves. While thinking often still revolves around ‘what have we got that anyone would want to steal?’, ransomware has changed the game because it can hold entire businesses to ransom.

Windows has been a popular target, although Linux and macOS are more commonly in the sights of hackers. Windows is targeted partly because it is so ubiquitous in the enterprise and secondly because security best practices are usually ignored, or sometimes not implemented for technical reasons. One example is removing local administrator privileges from users, a goal that can be difficult to achieve without help from third-party privileged access management (PAM) solutions.

Once endpoints are infected, ransomware like Locky can encrypt network shares mapped to devices. Why just encrypt a local device when you can also steal potentially more important data sitting on servers? CryptoFortress goes even further and can encrypt network shares regardless of whether mapped drives have been configured. Windows 10 Controlled Folder Access can be used to restrict access to sensitive data locations to approved applications, helping to reduce the likelihood that ransomware could encrypt data. Controlled Folder Access can be useful as part of a defense-in-depth security strategy. For more information on how Controlled Folder Access works, see Controlled Folder Access in Windows 10 FCU on Petri.

Ransomware attacking NAS directly

While getting access to server file shares via Windows might seem the most likely way hackers would approach an attack, Kaspersky says in their Threat Evolution Report Q3 2019 that they are seeing new families of ransomware designed specifically to attack Network Attacked Storage (NAS). According to Fedor Sinitsyn, a security researcher at Kaspersky:

“Previously encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS. This trend is unlikely to fade, as this attack vector proves to be very profitable for the attackers, especially due to the users being completely unprepared for them as they consider this technology highly reliable. NAS devices are usually purchased as complete and secure products, which as it turns out is not the case. Consumers and especially business users need to therefore remain cautious when protecting their data”

Kaspersky says that hackers scan IP address ranges looking for NAS devices where web management interfaces are exposed. While you need to authenticate to get access to NAS management, other software with vulnerabilities can make devices vulnerable. Ransomware like eCh0raix targets vulnerabilities in QNAP NAS devices by using brute-force attacks to reveal weak login credentials.

How can I protect my NAS device?

NAS is often used to store backups, and naturally the goal of ransomware is to hijack your data for a ransom in the hope that you don’t have a working backup or that your backup is online and has been encrypted as part of the attack. But what can you do to make sure that NAS devices and backups stay safe?

  • Make sure that you have an offline copy of your backup that can be used to recover from a security incident.
  • Keep your NAS device up-to-date. Your device vendor will release security and functionality updates on a regular basis.
  • Don’t expose NAS to the public Internet.
  • If you need remote access, consider using a VPN instead of exposing NAS directly to the Internet.
  • If you need remote access, enable SSL and two-factor authentication.
  • Look at enabling any other security features that might be included with your NAS.
  • Make sure that default device passwords have been changed to strong passwords.
  • Follow other security best practices for Windows, like removing administrator privileges from users, limit use of privileged Active Directory accounts, make sure that accounts with administrator access have unique passwords, and use application control to block scripts, apps, and installers that are not approved for use in your organization.
  • Some NAS devices include integrated antivirus software which you might need to enable manually.

Many NAS devices designed for small businesses run their own operating systems based on Linux. But just because Windows isn’t deployed, it doesn’t mean they are immune to attack. So, take heed and make sure that your NAS devices are appropriately secured because NAS ransomware is on the rise.