Hackers Actively Exploiting Vulnerability to Deploy Mirai Malware

Hackers exploit QNAP devices because they often have known vulnerabilities or misconfigurations that can be exploited for unauthorized access.

Besides this, QNAP devices store valuable data, which makes them lucrative targets for threat actors seeking to:-

• Compromise sensitive information
• Deploy ransomware
• Deploy malware

Recently, cybersecurity researchers at Akamai during InfectedSlurs research identified that hackers are actively exploiting the QNAP VioStor NVR (network video recorder) vulnerability to deploy “Mirai” malware.

QNAP VioStor NVR Vulnerability

The vulnerability has been tracked as CVE–2023-47565 and marked as a “High” severity flaw with a CVSS v3 score of 8.0.

NVR is a high-performance network surveillance solution for IP cameras and this high severity vulnerability poses risks to:-

• Video recording
• Playback
• Remote data access

The authenticated attacker exploits the OS command injection via a POST request to the management interface with the help of this vulnerability. 

Besides this, the vulnerability leverages the device’s default credentials in the current configuration.

Here below, we have mentioned all the affected versions of QNAP VioStor NVR firmware:-

• VioStor NVR: Versions 5.0.0 and earlier (5.0.0 released June 21, 2014)

QNAP advises upgrading VioStor firmware on unsupported devices and changing default passwords. 

A previously patched issue, undisclosed, was found during the InfectedSlurs campaign. Confirming zero-day status was challenging due to unattributed exploits in the absence of device or manufacturer linkage.

SIRT identifies QNAP VioStor NVR devices as the target of the exploit. Weak default credentials, coupled with OS command injection vulnerabilities in NTP settings, affect the following devices:-

After collaboration with US-CERT and QNAP, confirmation is received that only retired VioStor versions (5.0.0 or earlier) are targeted through a POST request to /cgi-bin/server/server.cgi, exploiting a remote code execution vulnerability.

Flaw Profile

• CVE ID: CVE-2023-47565
• Release date: December 9, 2023
• Affected products: QVR Firmware 4.x
• Summary: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
• Severity: High
• CVSS v3 score: 8.0
• Status: Resolved

Default credentials and old network systems invite botnet infections. Legacy systems are breeding grounds for new vulnerabilities, which highlights the need for better IoT practices. 

Moreover, for both consumers and manufacturers, awareness is important, and not only that even for system safety must have:-

• Longer software support
• Robust security measures

Recommendations

Here below, we have mentioned all the recommendations provided by the security analysts:-

• Make sure to apply strong passwords for all user accounts.
• Keep updated the QVR to the latest version.
• Implement robust security policies and solutions.