Don’t let attackers abuse your NAS!


NAS has become an increasingly common way to handle file and backup storage. But no matter how it’s used, the information it contains must be protected from a variety of threats.


Image: Shutterstock/Lukmanazis

Over the past decade, more and more organizations have turned to network-attached storage, making it critically important to safeguard the information stored there. Here’s a look at some of the current threats to NAS and advice on how to better protect your data.

What exactly is a NAS?

NAS devices are multiple hard drive storage devices, with those hard drives often being used in different RAID modes for data redundancy or performance improvements. The device has its own operating system, which is frequently derived from Linux. It can be accessed over the network, often by connecting a browser to it. That connection can be on a local network or on the internet, depending on the configuration of the NAS.

Today’s most used file systems available on NAS are NFS, SMB and AFP, depending on whether it needs to be accessed by Linux, Windows or MacOS.

SEE: The future of work: Tools and strategies for the digital workplace (free PDF) (TechRepublic)

Most common NAS security issues

It can be handy for a NAS administrator to access a NAS via the internet, especially when it’s located in a different physical location from its owner, which happens often. But just like for every device that is connected to the internet, it does not come without risks.

The password problem

NAS comes with a default password for the administrator account. Some NAS providers even allow the first login to use an empty password before setting one. Therefore, attackers can scan the internet for NAS devices, and when found, try the default password to connect to it.

Remote code execution (RCE)

Sometimes also known as command injection, RCE is an operation by which an attacker gains control of the NAS device without any need for a password. In this scheme, an attacker injects code by exploiting existing vulnerabilities on the device to gain access to it, generally with administrator privileges. The attacker can then use it at will: steal or destroy data, install malware on the device, etc.

Bounce from other connected devices

NAS can also be on a local network with many other devices, including computers that might have direct access to it and may be constantly connected to it. An attacker gaining control of such a device might use it to bounce on the NAS and once again do whatever they like with the data stored on it.

SEE: Network security policy (TechRepublic Premium)

Malware on NAS

Several cases have appeared in the last few years where attackers successfully accessed NAS devices and used the compromise for cybercrime purposes.

Abusing the NAS: The cryptocurrency miner case

Recently, a NAS vendor released a security advisory about Bitcoin miners being fraudulently installed on its devices. Once the NAS gets infected, it shows unusually high CPU usage from a process named [oom_reaper] eating about 50% of the CPU to mine Bitcoin.

While this kind of malware does not steal data or invade privacy, it is still dangerous because it ruins the performance of the system and reduces the lifespan of the NAS components and its hard drives.

Possible cyber espionage

The QSnatch malware, which has existed since 2014, targeted about 62,000 NAS devices with its last version in mid-2020. During the infection stage, the malware is injected into the device firmware, rendering it persistent. Also, it prevents the NAS updates.

The functionalities of that malware are to provide a fake version of the device admin login page, scrape credentials and provide an SSH backdoor to the attacker.

It steals a predetermined set of files, too, including configuration and log files. Those files are encrypted and sent to the attackers’ infrastructure over HTTPS.

Ransomware on NAS

Several ransomware cases have hit the NAS world in the last two years.

The Qlocker ransomware has targeted NAS from QNAP and used the popular 7-ZIP format to archive files stored on the NAS. The archives were created using a single password known only to the ransomware operator. Once the encryption was done, a ransom note asked for 0.01 Bitcoins (about $550 at the time of the operation) in exchange for the password for the files.

While each ransomware attack generally targets a single NAS vendor, the eCh0raix ransomware recently targeted the two biggest NAS vendors, QNAP and Synology, at the same time. That ransomware also requested a fairly cheap amount for ransom (about $500) compared to other ransomware campaigns targeting companies and sometimes asking for millions of dollars.

SEE: 5 programming languages application solutions developers should learn (free PDF) (TechRepublic)

How to protect your NAS

To protect your NAS from cybercriminals, the following tips can help.

Change the default password

The first step when installing a new NAS on a network is to change the default password. Some vendors are taking the default password problem seriously, like QNAP, which decided mid-2020 to set the MAC address of the device as a default password.

In all cases, go for a robust password, at least 10 characters long, which does not contain words but combines upper- and lowercase letters with numbers and special characters.

Don’t allow inbound connections from the internet

Once the NAS is installed and working, forbid its administration panel to receive inbound connections from the internet. Instead, allow it to be reachable only from a local network of yours, or even from a single computer inside this network. Allow outbound connections, though, so that the NAS can still update its software and firmware when a new update is being released.

Update your NAS software and firmware

Since attackers often use remote code execution and do not need any password for that, always update the software and firmware from the NAS as soon as possible.

Disable unnecessary protocols and secure the needed ones

Disable all protocols you do not need on the NAS. If FTP is not needed, disable it. Use HTTPS instead of HTTP. Close all ports that will not be used, according to your needs.

Change default ports

If you really need the NAS to be accessed via the internet, change the default ports that are needed: HTTP, HTTPS, SSH, etc.


A NAS is a great device for storing data, but security should be the major concern when installing it on a network. With the security advice provided in this article, your NAS should be safe from most widescale attacks.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

 Also see

Source link

Leave a reply

Please enter your comment!
Please enter your name here