Qnap VioStor NVR devices are vulnerable to flaws that attackers exploit to integrate the devices into a botnet. The leak has existed for some time, but discoverer Akamai is only now releasing the details as a patch has recently been available.

The Mirai-based botnet Infected Slurs manages to integrate the devices via vulnerabilities in the Qnap VioStor NVR software. The affected devices are then used to carry out DDoS attacks.

Akamai discovered the botnet in October 2023, but the abuse likely began late last year. In October, it emerged that the zero-day leaks being exploited were brand new and there was no patch. Details about the attacks were therefore left behind. Qnap has now released the necessary patches to ward off attacks. Therefore, it is now the responsibility to share details.

Patch

First of all: If you use a Qnap VioStor NVR to support your camera surveillance, you must update the software immediately. Qnap also recommends users to change their passwords immediately. The patch in question has been available since December 7th. QVR firmware 5.x and later does not contain the bugs, but anyone with QVR 4.x is at risk. InfecterSlurs also abuses FXC routers. A patch has also been released for these devices.

The exploited vulnerabilities include CVE-2023-49897 (FXC) and CVE-2023-47565 (Qnap). Qnap’s vulnerable software is quite old, with version 5.0.0 released about a decade ago. Anyone who has more modern hardware is probably not at risk. It appears that the criminals behind the botnet are primarily focused on old devices. There are also Qnap NVRs floating around that are so old that they no longer receive updates. Anyone who still uses such a device is a bird to the cat and has to buy new hardware.