fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QNAP Fixes Bug That Let Attackers Run Malicious Commands Remotely

QNAP Fixes Bug That Let Attackers Run Malicious Commands Remotely

Taiwan-based network-attached storage (NAS) maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.

Three of the security flaws fixed today by QNAP are high severity stored cross-site scripting (XSS) vulnerabilities (tracked as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18).

QNAP also patched a stored XSS Image2PDF flaw impacting devices running software versions released before Image2PDF 2.1.5.

Also Read: Cost of GDPR Compliance for Singapore Companies

Stored XSS attacks allow threat actors to inject malicious code remotely, permanently storing it on the targeted servers following successful exploitation.

The company also addressed a command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software that helps attackers run arbitrary commands.

Successful attacks exploiting the CVE-2021-34352 flaw could lead to the complete takeover of compromised NAS devices.

Three other QVR flaws were also patched on Monday, as disclosed by QNAP in a security advisory rated with a critical severity rating.

How to secure your NAS device

Given that QNAP NAS devices have been under a constant barrage of attacks the last couple of years, customers should immediately update both apps to the latest available releases as soon as possible.

To update Photo Station or Image2PDF to the latest version on your NAS, you need to go through the following procedure:

  1. Log into QTS or QuTS hero as administrator.
  2. Open the App Center, and then click . A search box appears.
  3. Type “Photo Station” or “Image2PDF” and then press ENTER. The application appears in the search results.
  4. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
  5. Click OK. The application is updated.

 To update the QVR surveillance software, follow these steps:

  1. Log on to QVR as administrator.
  2. Go to Control Panel > System Settings > Firmware Update.
  3. Under Live Update, click Check for Update. QVR downloads and installs the latest available update.

QNAP warned in September 2020 of a surge in ransomware attacks encrypting files on publicly exposed NAS storage devices.

Also Read: 7 Key Principles of Privacy by Design that Businesses should adopt

As BleepingComputer reported at the time, QNAP customers’ devices were being hit by AgeLocker ransomware which was targeting older unpatched versions of Photo Station, an app used to upload photos, create albums, and view them remotely.

QNAP also warned of eCh0raix ransomware attacks attempting to exploit flaws in the Photo Station app starting with June 2020.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us