fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QNAP Fixes Critical Bugs in QVR Video Surveillance Solution

QNAP Fixes Critical Bugs in QVR Video Surveillance Solution

Network-attached storage (NAS) maker QNAP has patched its QVR video management system against two critical-severity issues that could be exploited to run arbitrary commands.

QNAP promotes its QVR software as a professional solution that allows real-time video monitoring, recording, playback, and alarm notifications when coupled with supported IP cameras.

Total of three security issues

QNAP announced today that it fixed three command injection vulnerabilities in the QVR software for managing video surveillance, two of them receiving a critical severity score of 9.8 out of 10.

Tracked as CVE-2021-34351 and CVE-2021-34348, the pair of critical bugs could allow a remote attacker to run commands on vulnerable systems that could lead to taking full control of the device.

Apart from these two security issues, QNAP fixed another one tracked as CVE-2021-34349. It is from the same class but with a lower severity score, 7.2 out of 10.

Also Read: 5 Signs On How to Know if Ransomware is on Your Computer

The difference in severity is due to the privileges required to exploit the bugs: none are needed for the critical ones, while an attacker leveraging the high-severity issue needs high privileges.

QNAP notes that the two critical vulnerabilities affect certain products running QVR that have reached end of life (EoL). Even if the devices are no longer supported, many customers are likely still using them, prompting the company to release a software update (QVR 5.1.5 build 20210803).

“Two command injection vulnerabilities have been reported to affect certain QNAP EOL devices running QVR. If exploited, these vulnerabilities allow remote attackers to run arbitrary commands” – QNAP

It is unclear if any of the bugs are being exploited been exploited. BleepingComputer has reached out to QNAP for clarification about this and is currently awaiting a reply.

Attractive devices

Provided that the devices are used for video surveillance by businesses of various sizes (enterprise, SMB, SOHO), threat actors may be incentivized to exploit these vulnerabilities.

Earlier this year, in a campaign from what became known as Qlocker ransomware, a cybercriminal gang leveraged a vulnerability (hardcoded credentials) in QNAP NAS devices to encrypt files using the 7-Zip archive utility.

Victims, mostly consumers and small-to-medium business owners, were asked just $500 for file recovery, a very small price that many were willing to pay.

It is estimated that the actors behind Qlocker ransomware made at least $260,000 in just five days in ransoms collected from their victims.

Also Read: How COVID-19 Contact Tracing in Singapore Applies at Workplace

Back in March, hackers leaked footage after gaining access to live surveillance cameras managed by Verkada and widely used across the U.S. by big-name companies (Tesla, Equinox), healthcare clinics, prisons, and banks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us