Numerous widely known and extensive assaults targeting NAS security devices have occurred. In order to launch an attack with ransom the 2021 Qlocker attack specifically targeted QNAP devices by taking advantage of a flaw in packaged software. The threat actors are said to have earned about $350,000 USD in just one month. The Qlocker gang has shut down, possibly in an attempt to avoid detection, and all associated websites have been removed.
This is a concerning trend because it indicates that the victims in the last wave will not be able to obtain their decryption keys or pay the ransom. Their only option is to restore their data from backups after clearing off their NAS. Attacks and exploits have also been used against Synology on occasion. Since its initial appearance in 2013, the SynoLocker ransomware has continued to resurface in various forms.
NAS devices are targeted because they are just as valuable as servers to cybercriminals. It has a ton of useful information. The victim of a ransomware assault is probably going to suffer greatly. Many will pay to regain access to their data. From the perspective of the attacker, a NAS offers two additional advantages. Compared to servers, they are typically easier to exploit and are frequently not backed up. This implies that the only choice left to the victim is to pay for the ransomware decryption key. Naturally, that is, if the cybercriminals continue to supply them.
9 NAS Security Best Practices
1. Make a NAS Backup
One of the largest data stores on your network is probably a NAS. It could be the largest, too. That makes supporting it difficult. What is able to take in its backups? But, the cybercriminals have complete control over you if you don’t have a backup to fall back on. You will have to pay the ransom and cross your fingers that the decryption key functions if you don’t have a reliable and tested backup plan in place.
Storage of network backups is frequently done on a NAS. It is quick to restore from and quick to back up to because it is local. But you run the risk of endangering your company if you don’t have a backup of the NAS itself. For the majority of NAS equipment, off-site backup is the only practical choice. NAS devices and other high-capacity devices can be accommodated by backing up to a cloud service. As long as they have the capacity and your infrastructure can handle the bandwidth, branches or sites that your company operates can be set up to back up to one another.
If you don’t have a reliable and tested backup plan in place, you’ll have to pay the ransom and cross your fingers that the decryption key works. Network backups are frequently kept on a NAS. Because it is local, it is quick to restore from as well as quickly to back up to. However, you’re putting your company at risk if you don’t have a backup of the NAS itself. Off-site backup is the only practical choice for the majority of NAS equipment. One option to support high-capacity devices like a NAS is to backup to a cloud service.
If your company oversees several locations or branches, they can be set up to automatically backup one another, given that your infrastructure can support the bandwidth and they have the necessary capacity. Create a backup test schedule and follow it. Check the reliability of your backups on a regular basis. You must be aware that they are being produced on schedule. They need to be kept in a secure location free from deterioration or corruption. Your backups need to be instantly available and able to quickly and exactly restore your data.
2. Update the Preset Passwords
On your NAS, change all of the default passwords. Failing to do so is the same as leaving your property unattended and unlocked all night. You wouldn’t act in such a way. Make sure to modify your default passwords for similar reasons. Modify the password for the admin account by default and for any other account, like an SSH account, that allows someone to access or connect to your network storage system. Be sure your passwords are strong and distinct. A nice template to use is three unconnected words combined by numerals or punctuation.
You can build a new user account on most NAS systems and provide them administrator privileges. This is an especially thorough method, as is removing the administrator privileges from the default admin account or eliminating the default admin account entirely.
The malware used by the attacker won’t know the name of your real administration account and won’t be able to utilise brute force techniques against the default administration account.
3. Employ two-factor verification
If your device supports it, turn on two-factor authentication. To obtain or generate tokens or codes for every login attempt, you must utilise a registered smartphone application or a secure USB key. Tokens or codes serve as an additional form of identity (something you have) in addition to your user account ID and password, which are knowledge-based.
If you have implemented two-factor authentication, your password and user ID won’t be enough to access your account. Your account is protected from hackers, even if they manage to get their hands on your user credentials.
4. Turn Off Any Unused Services and Apps
A full array of tools and apps is pre-installed on modern NAS devices. Your attack surface increases with the number of programmes you are running. Naturally, some of that software will also contain flaws of its own. A weakness in the QNAP multimedia management software was taken advantage of by the Qlocker malware.
On your Synology NAS, you can install WordPress using the Synology Package Centre. WordPress installations that are outdated and unpatched are infamously unsafe. Anything you’re not utilizing should be disabled. Specifically, turn off SSH, FTP, telnet, and Wi-Fi Protected Setup (WPS) if you’re not using them. Additionally, take a look at the apps that the NAS comes with and disable or remove any that you aren’t using. They might have daemons or services running that accept connections and might be vulnerable even if you haven’t utilized them.
5. Patch Your NAS and Software
Make sure that all of the software that came with your NAS, including any bundled programs, is up to date with security updates and bug fixes. With time, outdated software will develop flaws and put you at greater risk. Use any antivirus or anti-malware scanning features that your NAS may have. Whenever feasible, plan for frequent automatic scans to occur.
6. Forwarding Ports
Protocols for connections and communication use preset port numbers. For instance, port 22 is the SSH port by default. If you close port 22 on your firewall, no connections will be allowed on that port. This will stop attacks using brute force.
You can select any other accessible port and configure your firewall to route traffic arriving on that port to the IP address of your NAS on port 22, allowing you to continue making SSH connections. Incoming SSH connection requests will be detected by your NAS normally. Setting up SSH keys is ideal for safe, password-free SSH connections.
7. IP blocking
You should be able to set your NAS to automatically ban IP addresses after a certain number of unsuccessful attempts at connecting. Turn on automatic IP blocking on your NAS if it is supported.
An IP address that is inside a range designated for a country or region can be blocked from connecting in any way using a technique known as geoblocking. This is helpful because it’s simple to block entire nations from which you know that no legitimate connection request will ever be made. Check your firewall if geoblocking is not supported by your NAS. Should it be a modern model, geoblocking features might be included.
8. Turn on SSL and TSL
Make sure you have installed a valid SSL/TSL certificate and that you have enabled the HTTPS encrypted protocol if you are able to connect to your NAS using a browser. You can install an SSL/TSL certificate on your NAS by following the instructions provided by the manufacturer, which can be accessed through the administrator management interface. It’s important to remember that OpenSSL certificates are free.
9. Employ a VPN
You can connect to the majority of NAS devices via a Virtual Private Network (VPN) server. For communication between the two connection endpoints, these employ an encrypted tunnel. Reputable NAS manufacturers either directly or via add-ons support VPNs.