Skip to content
Join Censys for a Threat Hunting Workshop & Happy Hour! | April 17 at City Winery in Philadelphia | Register Now
Blogs

CVE-2022-27596: The Next Ransomware Target?

On January 30th, 2023, information emerged about a new vulnerability that targets QNAP devices. Although there is little information about the vulnerability details, we know that it affects QNAP QTS devices running versions less than 5.0.1.2234 and QuTS Hero versions less than “h5.0.1.2248” and was fixed with QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248. This is currently tracked as CVE-2022-27596.

We also know that if the exploitation is successful, an attacker can “inject malicious code”; QNAP has deemed this a critical vulnerability with a low attack complexity, no authentication required, and it can be exploited remotely. We also know that the Common Weakness Enumerator (CWE) it was assigned is “CWE-89”: Improper Neutralization of Special Elements used in an SQL Command (or SQL injection).

What we know right now:

  • It is a SQL injection vulnerability
  • Trivial to exploit
  • It does not require authentication

We’ve discussed problems with QNAP regarding the Deadbolt Ransomware campaigns, which at their height had infected over 20,000 devices and successfully stolen just under $200,000 from victims. And while there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon.

Given that the Deadbolt ransomware is geared to target QNAP NAS devices specifically, it’s very likely that if an exploit is made public, the same criminals will use it to spread the same ransomware again.

Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack. We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to “h5.0.1.2248” or QTS greater than or equal to “5.0.1.2234”, meaning 29,968 hosts could be affected by this vulnerability.

If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users. Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns.

Top Ten Countries

Below is a summary of the top ten countries with hosts running versions of QNAP that are deemed vulnerable to CVE-2022-27596. Most of these hosts reside in the United States (3,271 total, 3,149 vulnerable) and Italy (3,239 total, 3,200 vulnerable).

 

Country Total Hosts Non-Vulnerable Hosts Vulnerable Hosts
United States 3,271 122 3,149
Italy 3,239 39 3,200
Taiwan 1,951 9 1,942
Germany 1,901 20 1,881
Japan 1,748 34 1,714
France 1,527 69 1,458
Hong Kong 1,425 3 1,422
South Korea 1,313 2 1,311
United Kingdom 1,167 10 1,157
Poland 1,001 17 984

Top Ten Autonomous Systems

Top 10 Autonomous Systems

Autonomous System Total Non-Vulnerable Hosts Vulnerable Hosts
HINET Data Communication 1,404 6 1,398
ASN-IBSNAZ 1,073 11 1,062
DTAG Internet 996 15 981
COMCAST-7922 893 27 866
KIXS-AS-KR 732 1 731
VODAFONE-IT-ASN 618 1 617
HKTIMS-AP HKT 574 2 572
France Telecom – Orange 538 37 501
TNF-AS 520 3 517
VODANET 508 1 507

Top Ten Vulnerable QNAP Versions Observed

Below is a run-down of the top ten vulnerable versions of the QNAP software we observed on the internet using an auxiliary scan. We used the QNAP advisory (QSA-23-01) to determine these versions, and it states the following are vulnerable:

  • QTS versions less than 5.0.1.2234
  • QuTS Hero versions less than h5.0.1.2248
Version Host Count
5.0.0 7.383
4.3.3 6,993
4.3.6 4,777
4.3.4 4,234
4.2.6 1,493
4.5.2 910
4.5.1 838
4.4.3 747
4.4.1 701
4.3.5 676

What can be done?

About the Author

Mark Ellzey
Senior Security Researcher All posts by Mark Ellzey
Mark Ellzey is a Senior Security Researcher at Censys. Before his current role, Mark has worked as both a network security engineer and software developer for several internet service providers and financial institutions for over 22 years.

Similar Content

Back to Resources Hub
Attack Surface Management Solutions
Learn more