Skip to main content

HKCERT Urges Users of Remote Access Tools and NAS Devices to Beware of Ransomware Attacks

(Hong Kong, 19 October 2021) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council is urging local users of remote access tools and network-attached storage (NAS) devices to step up security to fend off ransomware attacks targeting such devices. As recently HKCERT has observed from various sources that there has been an increase in ransomware attacks globally. Vulnerabilities in the remote access tools and NAS devices are found to be the major attack vectors for the latest wave of ransomware attacks. These hybrid workspace tools are commonly adopted by local enterprises during the COVID-19 pandemic.

According to incident reports, the ransomware attacked both servers and end users’ desktops, encrypted the data and paralysed business operations. Some such as REvil and Conti would even steal sensitive data in which the attackers threaten to disclose to the public if the ransom is not paid. Due to the data is held hostage, ransom payments in cryptocurrency, ranging from $400,000 to $1,400,000, which could incur substantial financial impact on the victims, were demanded.

With Virtual Private Network gateways and remote control applications, requiring a direct connection to the Internet, if the vulnerabilities of the gateway device are not promptly patched, the risk of it being exploited is extremely high. HKCERT urges both individuals and organisations to stay vigilant, pay extra attention to ransomware attacks, and adopt the following preventive measures [1]:

  1. Update their IT systems timely, monitor the vendor's official website or subscribe to HKCERT’s information security alert services for information on the release of the firmware update;
  2. Change the administrator and user passwords regularly and use multi-factor authentication (if applicable);
  3. Disable unused accounts and minimise the accounts’ privileges as possible;
  4. Disable unused protocol and applications (e.g. SSH, Telnet, Web Server, SQL server, phpMyAdmin);
  5. Avoid using default port number (e.g. 22, 443, 80, 8080, 8081, etc.);
  6. Restrict firewall policies and adopt the principle of default deny all traffic if possible;
  7. Maintain offline data backups and test for data restoration regularly;
  8. Enable system log function and trigger alerts when encountering abnormal situations; and
  9. Replace end-of-support software and hardware products with supported versions.

Should users have further questions, please do not hesitate to contact HKCERT via email: hkcert@hkcert.org or its 24-hour telephone hotline: 8105 6060. HKCERT will continue monitoring the latest development of the attacks and keep the public informed if there are any updates.

Reference Links:
[1] https://www.hkcert.org/blog/patch-vulnerabilities-in-remote-access-and-remote-storage-now

- Ends -