Security and Your NAS
There have been several high-profile and widespread attacks on network-attached storage devices. The 2021 Qlocker attack targeted QNAP devices, exploiting a vulnerability in bundled software to execute a ransomware attack. It is reported to have made the threat actors around $350,000 USD in a single month.
Perhaps in a bid to prevent detection, the Qlocker gang has closed up shop, and all related websites have been taken down.
This is a worrying trend – it means that the final wave of victims has no way to pay the ransom and acquire their decryption keys. Their only recourse is to purge their NAS and restore their data from backups.
Synology has had its fair share of exploits and attacks too. The SynoLocker ransomware was first seen in 2013 and keeps reappearing in new variants.
NAS devices are targeted because, to a cybercriminal, a NAS is as valuable a prize as a server. It’s full of valuable data. A ransomware attack is likely to be devastating for the victim. Many will pay to get their data back.
A NAS has two added benefits from the attacker’s point of view. They’re usually easier to compromise than a server, and very often, they’re not backed up. That means the victim has little option but to pay for the ransomware decryption key.
As long as the cybercriminals are still providing them, of course.
7 Best Practices to Protect Your NAS
1. Back Up Your NAS
A NAS is likely to be one of the biggest data repositories on your network. It might even be the biggest. That presents a problem in backing it up. What has the capacity to accept its backups? But if you don’t have a backup to turn to, you’re at the mercy of the cybercriminals.
Without a robust and tested backup solution in place, you’ll need to pay the ransom fee – and hope the decryption key works.
A NAS is often used to store network backups. It’s fast to back up to, and because it is local, it is fast to restore from too. But without a backup of the NAS itself, you’re exposing your organization to risk. The only sensible option for most NAS devices is off-site backup. Backing up to a cloud service is one way to accommodate high-capacity devices like a NAS.
If your organization manages different branches or sites, they can be organized to back up to each other, providing they have the capacity and your infrastructure can handle the bandwidth.
Establish and adhere to a backup test schedule. Periodically verify that your backups can be relied on. You need to know they’re being made when they’re supposed to be. They must be stored safely and without degradation or corruption.
Your backups must be accessible on-demand and capable of restoring your data rapidly and verbatim.
2. Change Default Passwords
Change all of the default passwords on your NAS. Not doing so is the equivalent of leaving your premises unlocked and unattended all night. You simply wouldn’t do that.
For the same reasons, change your default passwords.
Change the password for the default admin account and for any other account that permits someone to log in or connect to your NAS, such as an SSH account. Make your passwords robust and unique. Three unrelated words joined by punctuation symbols or numbers is a good template to adopt.
Most NAS devices allow you to create a new user and allocate administrator rights to them. Doing so and removing the administrator rights from the default admin account – or removing the default admin account altogether – is a particularly thorough technique.
The attacker’s malware will not be able to use brute force methods against the default administration account, and it won’t know the name of your actual administration account.
3. Use Two-Factor Authentication
If it is supported on your device, activate two-factor authentication. This requires you to use a secure USB key or a registered smartphone application to receive or generate tokens or codes for each login attempt. The tokens or codes are used in addition to your user account ID and password (things you know) to provide another form of identification (something you have).
With two-factor authentication enabled, your user account ID and password are insufficient to gain access to your account. Even if your user credentials are compromised, an attacker cannot access your account.
4. Disable Unused Apps and Services
Modern NAS devices come ready and loaded with a suite of tools and applications. The more software you have running, the bigger your attack surface is. And, of course, some of that software will have its own vulnerabilities. The Qlocker malware exploited a vulnerability in the QNAP multimedia management software.
Synology’s Package Center allows you to install WordPress onto your Synology NAS. Unpatched and out-of-date WordPress deployments are notoriously insecure.
Disable anything that you’re not using. In particular, disable FTP, telnet, Wi-Fi Protected Setup (WPS), and SSH if you’re not using it. Also, look through the applications that come bundled with the NAS, and disable or uninstall anything that you’re not using.
Even if you’ve never used them, they may have services or daemons running that accept connections and may contain vulnerabilities.
5. Patch Your NAS and Software
Ensure that your NAS system, its firmware, and any bundled software that you’re still using are patched up to date with security patches and bug fix releases. Outdated software will harbor vulnerabilities and will increasingly expose you to risk as time goes by.
Make use of any anti-malware or antivirus scanning capabilities your NAS may have. Where possible, schedule automatic scans to happen regularly.
6. Ensure Safe Remote Connectivity
If your NAS must be exposed to the Internet to allow remote connection, you should consider these steps and apply those that apply.
Communication and connection protocols use default port numbers. For example, the default SSH port is port 22. Closing port 22 on your firewall will prevent any connections from being accepted on that port. This will avoid brute-force attacks.
So that you can still make SSH connections, you can pick any other available port and have traffic that arrives on that port forwarded by your firewall to the IP address of your NAS, on port 22. Your NAS will be able to pick up incoming SSH connection requests as normal.
Ideally, set up SSH keys for secure and passwordless SSH connections.
Your NAS will probably have the ability to automatically block IP addresses that have made a specified number of incorrect connection attempts. If your NAS supports automatic IP blocking, turn it on.
Geoblocking is a form of IP blocking that prevents any kind of connection from an IP address that falls within the IP address ranges allocated to countries or regions. This is useful because you can easily blacklist entire countries from which you know there’ll never be a valid connection request.
If your NAS doesn’t support geoblocking, check your firewall. If it is a current model, it might have geoblocking capabilities.
If you can connect to your NAS from a browser, make sure you have enabled the HTTPS encrypted protocol and that you have a valid SSL/TSL certificate installed. The manufacturer of your NAS will provide a set of instructions telling you how to obtain and install an SSL/TSL certificate from within the administration management interface of your device.
It’s worth noting that an OpenSSL certificate is free.
Use a VPN
Most NAS devices support VPN servers allowing you to connect to them over a Virtual Private Network connection. These use an encrypted tunnel for the communication between the two endpoints of the connection.
Well-known NAS brands support VPNs either directly or through the use of add-ons.
Denial of Service Protection
Enabling denial of service protection is often as simple as ticking a checkbox in the settings of your NAS.
7. Don’t Forget Your Network
Your NAS is on your network, so the security of your network impacts the security of your NAS. Make sure your router, firewall, and other network appliances are current, well-configured with new passwords, and they’re patched up to date.
And, of course, a lot of your security worries will disappear if it isn’t exposed to the internet at all. Unless it is imperative, don’t expose your NAS to the outside world.