Researchers from the Chinese company Qihoo 360 warnthat cybercriminals are still exploiting a vulnerability in the firmware of Qnap devices, which was fixed back in 2017.
The vulnerability allows unauthenticated attackers to authenticate using the authLogout.cgi executable file. The root of the problem lies in insufficient cleaning of the input data (special characters are not filtered out), which ultimately allows you to call a system function to launch the command line, perform command injection and ultimately lead to remote execution of arbitrary code
Back in May of this year, researchers contacted the Qnap developers to inform them of the problem they had found, and on August 12 (three months later) they were finally told that the company had fixed this vulnerability long ago, and it is just that you can still find devices on which have not been patched. As it turned out, Qnap engineers fixed this vulnerability in firmware version 4.3.3, released on July 21, 2017.
According to Qihoo 360 analysis, the attackers behind these attacks did not fully automate the hacking process, and some parts of it are done manually. However, the researchers were never able to establish the ultimate goal of the hackers. It is only known that attackers deploy two payloads to infected devices, one of which is a reverse shell (TCP / 1234 port).
Researchers remind owners of Qnap devices to install updates on time. IN company blog could find a list of vulnerable firmware, as well as indicators of compromise, including the IP addresses of the attackers' scanner and downloader.