"Thousands of QNAP NAS Devices Hit by DeadBolt Ransomware (CVE-2022-27593)"
QNAP Systems has released additional information about the latest DeadBolt ransomware campaign targeting users of its Network-Attached Storage (NAS) devices, as well as the vulnerability exploited by the attackers. CVE-2022-27593 stems from an externally controlled reference that resolves to a resource outside of the intended control sphere, affecting the widely used Photo Station application. The flaw enables attackers to modify system files and, eventually, install and deploy ransomware. It can be exploited by remote, unauthenticated attackers without any user interaction, according to its entry in the National Vulnerability Database (NVD). Furthermore, the attack complexity is said to be low. Jacob Baines, a security researcher, published an entry on the AttackerKB database/public forum detailing their analysis of the Photo Station patch provided by QNAP and providing insight into some of the specifics of the vulnerability. The company did not specify how many devices were affected by the latest DeadBolt campaign, but Censys detected a significant increase in infections in early September. DeadBolt appears to be relatively consistent regarding new infections. According to Censys senior security researcher Mark Ellzey, there seem to be seven to twelve days between each campaign. Instead of encrypting the entire device, which effectively takes it offline, the ransomware only encrypts specific backup directories and takes over the web administration interface with an informational message explaining how to remove the infection. This article continues to discuss new information regarding the latest DeadBolt ransomware campaign targeting users of QNAP NAS devices.