www.cert.govt.nz Open in urlscan Pro
45.60.15.134  Public Scan

URL: https://www.cert.govt.nz/it-specialists/advisories/qnap-and-asustor-nas-vulnerabilities-exploited-to-deploy-ransomware/
Submission: On June 09 via api from IN — Scanned from NZ

Form analysis 3 forms found in the DOM

https://www.cert.govt.nz/search

<form action="https://www.cert.govt.nz/search" role="search" class="searchform--menu">
  <div class="searchform--menu-holder"><label for="searchterm" class="sr-only">Enter your search term</label> <input type="search" id="searchterm" name="searchterm" value="" placeholder="Enter your search term" autocapitalize="off" autocomplete="off"
      autocorrect="off" data-search-securityid="b8b2a74462ac98330550f1c7859492e7a42d638a" class="searchform-input"> <button type="submit" aria-label="Search Cert" class="searchform-submitbutton"><span class="sr-only">Search</span></button></div>
</form>

POST /it-specialists/advisories/qnap-and-asustor-nas-vulnerabilities-exploited-to-deploy-ransomware/Cert\Forms\FeedbackForm/

<form id="FeedbackForm_Cert_Forms_FeedbackForm" action="/it-specialists/advisories/qnap-and-asustor-nas-vulnerabilities-exploited-to-deploy-ransomware/Cert\Forms\FeedbackForm/" method="POST" enctype="application/x-www-form-urlencoded"
  class="feedback-form">
  <p id="FeedbackForm_Cert_Forms_FeedbackForm_error" class="message " style="display: none"></p>
  <fieldset>
    <div id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_Holder" class="field optionsetfieldfeedback feedback-field--rating">
      <label class="left">Was this helpful?</label>
      <div class="middleColumn">
        <ul class="optionsetfieldfeedback feedback-field--rating" id="FeedbackForm_Cert_Forms_FeedbackForm_Rating" aria-label="Rate this page from 1 to 5.">
          <li class="odd val1">
            <input id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_1" class="radio" name="Rating" type="radio" value="1">
            <label for="FeedbackForm_Cert_Forms_FeedbackForm_Rating_1">1</label>
          </li>
          <li class="even val2">
            <input id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_2" class="radio" name="Rating" type="radio" value="2">
            <label for="FeedbackForm_Cert_Forms_FeedbackForm_Rating_2">2</label>
          </li>
          <li class="odd val3">
            <input id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_3" class="radio" name="Rating" type="radio" value="3">
            <label for="FeedbackForm_Cert_Forms_FeedbackForm_Rating_3">3</label>
          </li>
          <li class="even val4">
            <input id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_4" class="radio" name="Rating" type="radio" value="4">
            <label for="FeedbackForm_Cert_Forms_FeedbackForm_Rating_4">4</label>
          </li>
          <li class="odd val5">
            <input id="FeedbackForm_Cert_Forms_FeedbackForm_Rating_5" class="radio" name="Rating" type="radio" value="5">
            <label for="FeedbackForm_Cert_Forms_FeedbackForm_Rating_5">5</label>
          </li>
        </ul>
      </div>
    </div>
    <div id="FeedbackForm_Cert_Forms_FeedbackForm_Message_Holder" class="field textarea feedback-field--message">
      <label class="left" for="FeedbackForm_Cert_Forms_FeedbackForm_Message">Additional feedback</label>
      <div class="middleColumn">
        <textarea name="Message" class="textarea feedback-field--message" id="FeedbackForm_Cert_Forms_FeedbackForm_Message" placeholder="Please describe" rows="1" cols="20"></textarea>
      </div>
    </div>
    <input type="hidden" name="SecurityID" value="b8b2a74462ac98330550f1c7859492e7a42d638a" class="hidden" id="FeedbackForm_Cert_Forms_FeedbackForm_SecurityID">
    <div class="clear"><!-- --></div>
  </fieldset>
  <div class="btn-toolbar">
    <input type="submit" name="action_submitfeedback" value="Submit" class="action feedback-submit pure-button pure-button--secondary" id="FeedbackForm_Cert_Forms_FeedbackForm_action_submitfeedback">
  </div>
</form>

POST /it-specialists/advisories/qnap-and-asustor-nas-vulnerabilities-exploited-to-deploy-ransomware/SubscriptionForm/

<form id="Form_SubscriptionForm" action="/it-specialists/advisories/qnap-and-asustor-nas-vulnerabilities-exploited-to-deploy-ransomware/SubscriptionForm/" method="POST" enctype="application/x-www-form-urlencoded" class="subscription-form">
  <p id="Form_SubscriptionForm_error" class="message " style="display: none"></p>
  <fieldset>
    <legend>Subscribe to updates</legend>
    <h2 id="Form_SubscriptionForm_SubscribeTitle">Subscribe to CERTNZ</h2>
    <div id="Form_SubscriptionForm_Name_Holder" class="field text">
      <label class="left" for="Form_SubscriptionForm_Name">Name</label>
      <div class="middleColumn">
        <input type="text" name="Name" class="text" id="Form_SubscriptionForm_Name" required="required" aria-required="true" placeholder="e.g. Tim Berners-Lee">
      </div>
    </div>
    <div id="Form_SubscriptionForm_Email_Holder" class="field email text">
      <label class="left" for="Form_SubscriptionForm_Email">Email</label>
      <div class="middleColumn">
        <input type="email" name="Email" class="email text" id="Form_SubscriptionForm_Email" required="required" aria-required="true" placeholder="name@example.co.nz">
      </div>
    </div>
    <p class="subscription-options-intro">Subscribe to</p>
    <div id="Form_SubscriptionForm_SubscriptionOption_1_Holder" class="field checkbox">
      <input type="checkbox" name="SubscriptionOption_1" value="1" class="checkbox" id="Form_SubscriptionForm_SubscriptionOption_1">
      <label class="right" for="Form_SubscriptionForm_SubscriptionOption_1">Online security alerts and information for individuals and businesses </label>
      <span class="description">Alerts about the latest cyber security threats, plus information to help you or your business stay secure online. </span>
    </div>
    <div id="Form_SubscriptionForm_SubscriptionOption_4_Holder" class="field checkbox">
      <input type="checkbox" name="SubscriptionOption_4" value="1" class="checkbox" id="Form_SubscriptionForm_SubscriptionOption_4">
      <label class="right" for="Form_SubscriptionForm_SubscriptionOption_4">Technical advisories for cyber security professionals </label>
      <span class="description">Advisories and guidance for information security specialists about current cyber security threats, vulnerabilities, and how to mitigate their impact.</span>
    </div>
    <div id="Form_SubscriptionForm_SubscriptionOption_10_Holder" class="field checkbox">
      <input type="checkbox" name="SubscriptionOption_10" value="1" class="checkbox" id="Form_SubscriptionForm_SubscriptionOption_10">
      <label class="right" for="Form_SubscriptionForm_SubscriptionOption_10">Get Cyber Smart campaign updates</label>
      <span class="description">Get Cyber Smart is our awareness campaign for individuals and small to medium businesses. Subscribe to find out about the latest Get Cyber Smart campaigns including our annual Cyber Smart Week event in October. </span>
    </div>
    <div id="Form_SubscriptionForm_SubscriptionOption_7_Holder" class="field checkbox">
      <input type="checkbox" name="SubscriptionOption_7" value="1" class="checkbox" id="Form_SubscriptionForm_SubscriptionOption_7">
      <label class="right" for="Form_SubscriptionForm_SubscriptionOption_7">CERT NZ quarterly insights </label>
      <span class="description">Our quarterly newsletter provides an update and analysis of the latest reporting numbers along with recent cyber security insights and CERT NZ news.</span>
    </div>
    <input type="hidden" name="SecurityID" value="b8b2a74462ac98330550f1c7859492e7a42d638a" class="hidden" id="Form_SubscriptionForm_SecurityID">
    <div id="Form_SubscriptionForm_Captcha_Holder" class="field customnocaptcha">
      <label class="left" for="Form_SubscriptionForm_Captcha">Spam protection</label>
      <div class="middleColumn">
        <div class="g-recaptcha" id="Nocaptcha-Form_SubscriptionForm_Captcha" data-sitekey="6LcYO4sdAAAAAIj3j8p4eenV-xpuK9RrIxpNTiRL" data-theme="light" data-type="image" data-size="normal" data-form="Form_SubscriptionForm" data-badge=""
          data-widgetid="0">
          <div style="width: 304px; height: 78px;">
            <div><iframe title="reCAPTCHA"
                src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=6LcYO4sdAAAAAIj3j8p4eenV-xpuK9RrIxpNTiRL&amp;co=aHR0cHM6Ly93d3cuY2VydC5nb3Z0Lm56OjQ0Mw..&amp;hl=en&amp;type=image&amp;v=Xh5Zjh8Od10-SgxpI_tcSnHR&amp;theme=light&amp;size=normal&amp;cb=ju25qd7i"
                width="304" height="78" role="presentation" name="a-8rbuv3w8s95s" frameborder="0" scrolling="no"
                sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe></div><textarea id="g-recaptcha-response" name="g-recaptcha-response"
              class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
          </div><iframe style="display: none;"></iframe>
        </div>
        <noscript>
          <p>You must enable JavaScript to submit this form</p>
        </noscript>
      </div>
      <span class="description">Please tick the box to prove you're a human and help us stop spam.</span>
    </div>
    <div class="clear"><!-- --></div>
  </fieldset>
  <div class="btn-toolbar">
    <button type="submit" name="action_doSubscribe" value="Subscribe" class="action pure-button subscription-subscribe" id="Form_SubscriptionForm_action_doSubscribe">
      <span>Subscribe</span>
    </button>
  </div>
</form>

Text Content

FIND OUT HOW TO MAKE YOUR BUSINESS MORE SECURE WITH TWO STEPS... TOO EASY!



Dismiss
Skip to main content
Audience selector Select audience

Subscribe to updates
Follow us on Twitter on Facebook on LinkedIn
Enter your search term Search
Open menu
Return to homepage
 * Guides
 * Critical controls
 * Advisories
 * News & Events
 * Report an incident

Subscribe to updates
Follow us on Twitter on Facebook on LinkedIn
 1. Home
 2. IT specialists
 3. Advisories
 4. QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware


ADVISORIES

Our advisories highlight current cyber security threats and vulnerabilities in
New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

7:45pm, 22 February 2022

TLP Rating: Clear


QNAP AND ASUSTOR NAS VULNERABILITIES EXPLOITED TO DEPLOY RANSOMWARE

Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are
being actively exploited to deploy ransomware. The encrypted files have a
‘.deadbolt’ extension.

QNAP has released updates for the affected software. CERT NZ advises all
organisations with QNAP NAS devices to update and then apply all other software
updates.


WHAT'S HAPPENING


SYSTEMS AFFECTED

Both QNAP and Asustor NAS devices are being actively targeted by attackers
intending to deploy ransomware.

QNAP NAS devices that are internet exposed and running QTS and QuTS operating
systems, or add-ons with the following versions are affected:

 * QTS 5.0.0.1891 build 20211221 and later
 * QTS 4.5.4.1892 build 20211223 and later
 * QuTS hero h5.0.0.1892 build 20211222 and later
 * QuTS hero h4.5.4.1892 build 20211223 and later
 * QuTScloud c5.0.0.1919 build 20220119 and later

Asustor devices that are internet exposed and running ADM operating systems
including, but not limited to, the following models:

 * AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T


WHAT TO LOOK FOR


HOW TO TELL IF YOU'RE AFFECTED

To discover whether you have Deadbolt ransomware on your system, users can log
in to the QNAP or Asustor NAS and run the following command to find all files
with the .deadbolt extension:

sudo find / -type f -name "*.deadbolt".


WHAT TO DO


MITIGATION

If you have not been breached and still need to have the NAS running, make sure
the following has been done:

 1. For Asustor devices disable EZ-Connect (service for remote access).
 2. Disable SSH.
 3. Ensure that the device is not exposed to the internet, particularly the web
    interface or file shares.
 4. If the device is clear of ransomware, update the operating system and all
    installed add-ons.
 5. If in doubt, contact your local technical support for further advice.

If you have been compromised with ransomware, do not update your NAS device
until it is clean of ransomware.


MORE INFORMATION

 * Further information from the community on the Asustor vulnerability and
   mitigation advice. External Link
 * Further information on the QNAP vulnerability and mitigation advice External
   Link .
 * CERT NZ Critical control: Securing Internet Exposed Services External Link
 * Protect Yourself from Deadbolt External Link

If you require more information or further support, submit a report on our
website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE
media team on 027 442 2141.

Was this helpful?
 * 1
 * 2
 * 3
 * 4
 * 5

Additional feedback





FOOTER

 * About us
 * Quarterly reports
 * Contact us
 * Traffic light protocol
 * Resources
 * Phishing Disruption Service™

Follow us

on Twitter on Facebook on LinkedIN
 * © 2023 CERTNZ
 * Copyright
 * Disclaimer
 * Privacy and information statement

Te Kāwanatanga o Aotearoa New Zealand Government


>GLOSSARY TERM






Subscribe to updates


SUBSCRIBE TO CERTNZ

Name

Email


Subscribe to

Online security alerts and information for individuals and businesses Alerts
about the latest cyber security threats, plus information to help you or your
business stay secure online.
Technical advisories for cyber security professionals Advisories and guidance
for information security specialists about current cyber security threats,
vulnerabilities, and how to mitigate their impact.
Get Cyber Smart campaign updates Get Cyber Smart is our awareness campaign for
individuals and small to medium businesses. Subscribe to find out about the
latest Get Cyber Smart campaigns including our annual Cyber Smart Week event in
October.
CERT NZ quarterly insights Our quarterly newsletter provides an update and
analysis of the latest reporting numbers along with recent cyber security
insights and CERT NZ news.
Spam protection

You must enable JavaScript to submit this form

Please tick the box to prove you're a human and help us stop spam.

Subscribe