A Single Partner for Everything You Need With more than 450 technology partners in its ecosystem, Optiv provides clients with best-in-class security technology and solutions that equip organizations to detect and manage cyber threats effectively and efficiently in today's growing attack surface. Optiv's Partner of the Year Awards recognize forward-thinking innovation, performance and growth, and unparalleled technology solutions.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Optiv’s gTIC Prioritized Software and Services List + MITRE Tactics Part VI: Network-Attached Storage (NAS) Devices Breadcrumb Home Insights Blog Prioritized Software and Services List + MITRE Tactics Part VI August 29, 2025 Optiv’s gTIC Prioritized Software and Services List + MITRE Tactics Part VI: Network-Attached Storage (NAS) Devices This blog post is a continuation of our Optiv Global Threat Intelligence Center’s (gTIC’s) Prioritized Software and Services List series. The list provides a high-level introduction to the frequently exploited software, services and protocols and associated MITRE ATT&CK tactic mappings. The intent of researching, identifying and prioritizing potentially high-risk products (based off attractiveness for, and frequency of, targeting by adversaries) is to supplement and support enterprise risk management, incident response preparedness, intelligence collection and threat research. Follow-up reports will cover more details on adversaries, vulnerabilities, techniques and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original blog post. This sixth blog post in the series will cover exploitation trends and vulnerabilities in popular network-attached storage (NAS) products and devices to support the gTIC’s inclusion of NAS products on our Prioritized Software and Services List. NAS Devices and MITRE Technique MappingOptiv’s gTIC has identified and categorized NAS devices as a key environment for continuity and security as well as a target of opportunity for compromise by adversaries. These products enable a large number of users or devices within a network to access centralized storage environment to share or access files and information. Adversaries target these types of software and products for various actions and objectives, including accessing and exfiltrating data, installing backdoors and web shells to achieve Persistence or Lateral Movement, large-scale and rapid deployment of malware across the network for Impact, Discovery of sensitive databases and files and mapping out other parts of the network and environment. Prominent NAS device manufacturers and vendors include QNAP, Synology and Zyxel. The elevated risk profile for applicable organizations is based on the ubiquity of NAS products, as well as the severity and notoriety of known vulnerabilities and real-world compromises. Independent of the NAS brand or manufacturer, if your organization owns or uses these products, prioritize security and hardening accordingly. Reports and observations show that adversaries leverage NAS products to navigate across seven (7) Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK techniques for each of the observed tactics include the following: TA0001 - Initial AccessT1078 – Valid Accounts: NAS devices, like Synology, are known to accessed and compromised via brute-forcing of previously stolen, or weak and default, credentials. TA0004 – Privilege EscalationT1068 – Exploitation for Privilege Escalation: Authentication vulnerabilities in NAS devices, like CVE-2024-21899, expose NAS devices to unauthorized and unauthenticated users to gain access and privileges into sensitive systems and storage areas. TA0006 – Credential AccessT1212 – Exploitation for Credential Access: Vulnerabilities in NAS cloud services were demonstrated to be exploited to impersonate actor-controlled devices as legitimate NAS devices and redirect users to the decoy device where credentials were valid credentials were captured. TA0007 - DiscoveryT1135 – Network Share Discovery: Adversaries are able to identify and exploit NAS devices that are accessible from user workstations. NAS devices have been demonstrated to be emulated within a network which allow for internal users to connect to the emulated or “decoy” NAS device, allowing potential adversaries to identify other network systems and users. T1083 – File and Directory Discovery: Exploitation or unauthorized access to NAS devices leads to discovery and manipulation of files in storage environments like NAS devices. TA0009 – CollectionT1005 – Data from Local System: Access to NAS devices allow threat actors to read, write, or edit files and folders stored within these environments. TA0010 – ExfiltrationT1041 – Exfiltration over C2 Channel: Threat actors, including ransomware operators, leverage tools like Rclone to exfiltrate data from various environments, including NAS devices, to threat-controlled cloud storage like AWS and BlackBlaze. TA0040 - ImpactT1486 – Data Encrypted for Impact: Multiple ransomware strains have been deployed as a secondary and post-intrusion technique following the compromise of NAS device manufacturers and services including QNAP and Synology. T1498 – Resource Hijacking: Exploitation of NAS devices, like Zyxel, are known to be leveraged by botnets like Mirai to launch internal or external denial of service (DoS) attacks. The following chart shows popular NAS manufacturers — QNAP, Synology and Zyxel — mapped to various MITRE tactics. The chart also shows associated threats, including malware, adversaries and vulnerabilities assessed to pose a high risk to organizations or that are known to be exploited by cyber adversaries over the last 24 months. Image Figure 1: Threat Actors, Malware, and MITRE Tactics Associated with NAS Device Attacks Vulnerabilities and ThreatsCyber adversaries and researchers have demonstrated how NAS devices and software allow threat actors to accomplish numerous objectives, including deploying ransomware to encrypt files and data across multiple devices; exploitation for Initial Access and Discovery of the compromised environment; establishing a foothold for botnets; and stealing valid credentials from other users within the environment. Research and observed incidents of compromises involving NAS device exploits also validate Optiv gTIC’s long standing assessment that threat actors will continue to exploit old vulnerabilities (two years and older) in popular software and services due to the continued demonstrable exploit success over time. Excluding zero-day vulnerabilities and exploits, the gTIC’s research shows that adversaries scan for and exploit vulnerabilities across multiple NAS device manufacturers and software (e.g., QNAP, Synology, Zyxel) as quickly as 72 hours after disclosure. It is therefore time sensitive for enterprises to prioritize NAS devices and software to support a fundamental asset inventory and defense-in-depth program. Threats and malware known to exploit or leverage NAS devices and software as part of their attack vectors include botnet and persistence campaigns like StealthWorker, Mirai, InfectedSlurs and Mukashi; and multiple ransomware cartels including Deadbolt, QNAP Crypt, QLocker, Mallox, Diskstation, eCh0raix and DarkSide. This is Likely due to the ubiquity of NAS devices across enterprises, internet-facing position, and presence of internal sensitive folders and files, making critical vulnerabilities in these products a key target for Initial Access, Discovery, Exfiltration, and Impact. Improper security and authentication settings and protocol/exposure configurations are among the most common non-vulnerability weaknesses, while authentication bypass and information disclosure bypass are among the most common CVE-designated vulnerabilities in NAS devices and products. These vulnerabilities allow attackers to execute code, upload arbitrary files and malware, create decoy and fake accounts and devices, or gain visibility into other devices in the network. Containment and identity/credential protection should be the key objective for security teams with regards to safeguarding networks from an intrusion or attack involving NAS devices. Compromise and exploitation of NAS devices is assessed with High Confidence to be an extremely attractive target of opportunity due to the breadth of post-exploitation levels of access and compromise provided, so much so that unique and specialized strains of ransomware emerged that specifically target NAS devices. These include eCh0raix, QLocker, Diskstation, QSnatch and QNAPCrypt. Other ransomware strains that evolved into exploiting misconfigurations, authentication weaknesses, or application and firmware vulnerabilities in NAS devices include Checkmate and Darkside ransomware. Access onto NAS devices allowed for further Discovery of network-connected endpoints and user accounts and rapid delivery of malware or encryption payloads across the network using insecure protocols or authentication. There is limited reporting of state-sponsored threats targeting or leveraging NAS devices during their attacks, but it remains a Likely risk due to the information stored and managed by NAS devices and environments. Regardless of the lack of reporting, Optiv’s gTIC emphasizes continued prioritization of containment and hardening efforts of users and systems in networks where NAS devices are present, in lieu of focusing efforts on attribution of threats, both named and unspecified. Despite reports of advances in techniques and procedures pertaining to Defense Evasion, Persistence and Lateral Movement, many threats continue to rely on older and simple techniques and procedures to successfully compromise exposed systems like NAS devices for Initial Access. Mirai was a prolific botnet whose source-code was leaked years ago, resulting in multiple offshoot strains and variants like Mukashi. These offshoots have been developed, customized, and updated to compromise and maintain persistence in edge and internet-of-things (IoT) devices. The primary attack vector, however, for Mirai-like botnets over the last several years has remained scanning for and bypassing weak and default credentials in internet-exposed devices. Upon achieving access into exposed devices via brute-forcing and password spraying, the threat actors evolved the strains and campaigns to exploit additional code execution and privilege elevation vulnerabilities in NAS devices like Zyxel and D-Link. Examples of such vulnerabilities include CVE-2020-9054, CVE-2024-3272, and CVE-2024-3273. The graphics below illustrate Optiv gTIC’s Threat Actor Metric™ calculated for selected cyber threats known to exploit or seek out NAS devices as part of their attacks (See Appendix: References for an explanation of the Threat Actor Metric™). Image Figure 2: Threat Actor Metric Score for eCh0raix Ransomware © 2025. Optiv Security Inc. All Rights Reserved. Image Figure 3: Threat Actor Metric Score for Mirai Botnet© 2025. Optiv Security Inc. All Rights Reserved. Appendix References 1 MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2023 The MITRE Corporation. MITRE ATT&CK® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/". Optiv Threat Actor Metric™ – The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function as the United States Department of Defense’s CARVER targeting scale. Link charts and graphs in this report were created by Optiv’s gTIC leveraging the ThreatQuotient® Investigations platform. In addition to Optiv’s own Enterprise Incident Management team’s incident response engagements and analysis and other sensitive sources, the following references provided additional information for this blog post: https://www.bitdefender.com/en-us/blog/hotforsecurity/synology-nas-devices-targeted-in-large-scale-brute-force-attackhttps://cybersecuritynews.com/synology-network-file-system-vulnerability/https://www.commissariatodips.it/notizie/articolo/operazione-elicius/index.htmlhttps://www.synology.com/en-global/company/news/article/BruteForce/Synology%C2%AE%20Investigates%20Ongoing%20Brute-Force%20Attacks%20From%20Botnethttps://www.reddit.com/r/synology/comments/1cnjkcp/our_synology_got_attacked_by_ransomware/https://www.securityweek.com/critical-vulnerability-allows-access-to-qnap-nas-devices/https://www.bleepingcomputer.com/forums/t/808362/ransomware-with-weax-extension-targetcompanymallox/https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-wd-pr4100-editionhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/https://www.enterprisestorageforum.com/networking/nas-security/ Analytical Comments, Statements and Best PracticesMost Likely Course of Action (MLCOA) – The expected and probable tactics, techniques and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments. Most Dangerous Course of Action (MDCOA) – Tactics, techniques or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments. Words of Estimated Probability – Optiv’s gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows: Almost No Chance Very Unlikely Unlikely Roughly Even Chance Likely Very Likely Almost Certain(ly) Remote Highly Improbable Improbable Roughly Even Odds Probable (Probably) Highly Probable Nearly Certain 01-05% 05-20% 20-45% 45-55% 55-80% 80-95% 95-99% Confidence statements, as defined by Optiv’s gTIC, apply to the reliability and relevance of information reported and are as follows: Confidence Level Optiv gTIC Definition Factors Quantitative Relevance High Confidence Information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+ Moderate Confidence Information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%(+/- 10%) Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness Lack of established history or observations, unreliable or circumstantial evidence 35% Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart. By: Aamil Karimi Aamil Karimi has over 18 years of experience in the practice of intelligence analysis and reporting in the military (HUMINT and targeting) and the private sector in cybersecurity (threat and risk intelligence). His experience includes supporting incident response, threat research, serving as an architect for new intelligence services and products, spearheading CTI programs, and supporting CISO/enterprise security teams in building and expanding the threat intelligence capabilities for Fortune 500 companies and MSSPs. Prior to joining the cybersecurity field, Karimi spent six years in Afghanistan on active duty and civilian deployments supporting the U.S. Army, U.S. Air Force Office of Special Investigations, and U.S. Special Operations Command as a Principal Human Intelligence (HUMINT) Analyst and counterintelligence and targeting subject matter expert. Share: Source Zero® Network Attached Storage Devices Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.