UWAGA UWAGA !!! Security Advisory for Unauthorized QTS Update
Release date: May 12, 2017
Last updated: May 12, 2017
Bulletin ID: NAS-201705-12
Severity rating: Critical
Affected products: To be confirmed
Summary: User reports and internal research identified a recent attack that possibly exploits known vulnerabilities in earlier QTS versions. Malware is downloaded and executed, which in turn installs a QTS 4.2.5 build on the compromised system. The malware may also potentially result in unauthorized access to NAS data. As of publication time, QNAP is still investigating the incident. However, the previously-identified vulnerabilities have already been addressed in later QTS builds.
Solution: QNAP recommends that you check if the QTS version installed on your NAS has been unexpectedly changed to 4.2.5. If so, perform the following actions:
1. Install and run Malware Remover 2.1.2.
2. Manually download and install QTS 4.3.3 for your NAS (or QTS 4.2.5 if your NAS does not support QTS 4.3.3).
3. Change all user passwords.
Installing Malware Remover 2.1.2
1. Log on to QTS as administrator.
2. Open the App Center and then click the Search icon.
3. Type “Malware Remover” and then press ENTER. The Malware Remover application appears in the search results list.
4. Click Install. The application is installed.
Upgrading to Malware Remover 2.1.2 :
1. Log on to QTS as administrator.
2. Open the App Center and then click the Search icon.
3. Type “Malware Remover” and then press ENTER. The Malware Remover application appears in the search results list.
4. Click Update. A confirmation message appears.
5. Click OK. The application is updated.
Checking the Logs:
To check if Malware Remover has detected and deleted malware, go to Control Panel > System > System Logs > System Event Logs.
Manually downloading QTS:
1. Go to https://download.qnap.com.
2. Select the number of bays and model number of your NAS.
3. Under Download, click your region. The package is downloaded.
Installing QTS:
1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Firmware Update, click Browse and then locate the installation package.
4. Click Update System. The update is installed.
Changing the Password:
1. Log on to QTS.
2. On the task bar, click [user name] > Options.
3. Under Change Password, enter the old and new passwords and then click Apply. The new password is saved.
Release date: May 12, 2017
Last updated: May 12, 2017
Bulletin ID: NAS-201705-12
Severity rating: Critical
Affected products: To be confirmed
Summary: User reports and internal research identified a recent attack that possibly exploits known vulnerabilities in earlier QTS versions. Malware is downloaded and executed, which in turn installs a QTS 4.2.5 build on the compromised system. The malware may also potentially result in unauthorized access to NAS data. As of publication time, QNAP is still investigating the incident. However, the previously-identified vulnerabilities have already been addressed in later QTS builds.
Solution: QNAP recommends that you check if the QTS version installed on your NAS has been unexpectedly changed to 4.2.5. If so, perform the following actions:
1. Install and run Malware Remover 2.1.2.
2. Manually download and install QTS 4.3.3 for your NAS (or QTS 4.2.5 if your NAS does not support QTS 4.3.3).
3. Change all user passwords.
Installing Malware Remover 2.1.2
1. Log on to QTS as administrator.
2. Open the App Center and then click the Search icon.
3. Type “Malware Remover” and then press ENTER. The Malware Remover application appears in the search results list.
4. Click Install. The application is installed.
Upgrading to Malware Remover 2.1.2 :
1. Log on to QTS as administrator.
2. Open the App Center and then click the Search icon.
3. Type “Malware Remover” and then press ENTER. The Malware Remover application appears in the search results list.
4. Click Update. A confirmation message appears.
5. Click OK. The application is updated.
Checking the Logs:
To check if Malware Remover has detected and deleted malware, go to Control Panel > System > System Logs > System Event Logs.
Manually downloading QTS:
1. Go to https://download.qnap.com.
2. Select the number of bays and model number of your NAS.
3. Under Download, click your region. The package is downloaded.
Installing QTS:
1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Firmware Update, click Browse and then locate the installation package.
4. Click Update System. The update is installed.
Changing the Password:
1. Log on to QTS.
2. On the task bar, click [user name] > Options.
3. Under Change Password, enter the old and new passwords and then click Apply. The new password is saved.
