QNAP has unveiled two critical zero-day vulnerabilities present in its legacy model TS-231 network attached storage devices and a number of other non-legacy NAS hardware, according to Threatpost. The company said the bugs can be addressed immediately on its non-legacy NAS devices through patches, while a patch for the TS-231 model is scheduled for release over the next few weeks. The bugs, which are designated CVE-2020-2509 and CVE-2021-36195, enable threat actors to perform remote unauthenticated attacks and manipulate data stored on the affected devices. Researchers from SAM Seamless network disclosed the bugs to the public last Wednesday after notifying QNAP of them and providing a four-month grace period for the company to provide a fix. The researchers declined to make public the full technical details of the vulnerabilities due to the possibility of their causing severe harm to QNAP devices that are currently affected, which number in the tens of thousands.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.
Organizations could have their sensitive information compromised through a high-severity vulnerability in Google Cloud, Azure, and Amazon Web Services command line interface tools dubbed "LeakyCLI", The Hacker News reports.