[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
syncthing
Know my way around
Posts: 119
Joined: Mon Aug 13, 2018 4:58 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by syncthing » Sat Apr 24, 2021 1:30 am

jbennett360 wrote:
Sat Apr 24, 2021 1:06 am
Then obviously updates too. :D
to be honest usually I wait some time, to check if the firmware gets cancelled or they make some lite/premium stuff and so on :DD

QNAPDanielFL
Easy as a breeze
Posts: 344
Joined: Fri Mar 31, 2017 7:09 am

Re: Sneaky QNAP - disturbing AF!

Post by QNAPDanielFL » Sat Apr 24, 2021 3:18 am

jaysona wrote:
Fri Apr 23, 2021 9:05 pm
So, it would seem QNAP has quietly and unceremoniously replaced /usr/local/sbin/7z on people's NASes without any sort on communication to that effect. This is just another confirmation that QNAP has become a sketchy AF company.
The change you refer to is to offer better protection from Qlocker.

parkzone
First post
Posts: 1
Joined: Sat Apr 24, 2021 6:27 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by parkzone » Sat Apr 24, 2021 6:35 am

I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?

User avatar
dolbyman
Guru
Posts: 22778
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat Apr 24, 2021 6:38 am

What recommendations do you want ? Did you read the thread ? .. Without backups or ransom payment your are (currently) SOL

User avatar
dolbyman
Guru
Posts: 22778
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Sneaky QNAP - disturbing AF!

Post by dolbyman » Sat Apr 24, 2021 6:46 am

QNAPDanielFL wrote:
Sat Apr 24, 2021 3:18 am
jaysona wrote:
Fri Apr 23, 2021 9:05 pm
So, it would seem QNAP has quietly and unceremoniously replaced /usr/local/sbin/7z on people's NASes without any sort on communication to that effect. This is just another confirmation that QNAP has become a sketchy AF company.
The change you refer to is to offer better protection from Qlocker.
I think he knows that, it was probably the missing info in the change-log that certain "mitigations" are applied

Eternic
Starting out
Posts: 16
Joined: Sat Mar 16, 2019 9:53 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Eternic » Sat Apr 24, 2021 6:56 am

Eternic wrote:
Fri Apr 23, 2021 9:38 am
Just so we can all understand the attack vector, this is my understanding:
  1. QNAP fixed some SQL/Command injection vulnerabilities in February in the QTS firmware, Multimedia Console and Media Streaming Add-On but this wasn't mentioned in the update notes for those versions
  2. On April 16 they released a Security Advisory telling people about this issue and that people needed these versions from February to be secure. One for the apps and one for the firmware.
  3. Also on April 16 they released an update fixing injection vulnerabilities as well as a hard-coded credential issue in HBS 3 Hydrid Backup Sync but did not mention this anywhere outside the update notes
Perhaps the vulnerabilities were fixed in February and they chose not to mention them for a couple of months to avoid alerting bad actors until most people would have updated to secure versions. They didn't do the same with HBS 3 though, which is an application that would run on your NAS whether you'd ever opened it and set anything up in it or not. In fact you could say they instead did the following on April 16:
"Hey Bad Guys, there's an injection vulnerability in older firmware and Multimedia Console which we don't let people uninstall. We fixed these a couple of months ago, but if you check the update notes for HBS 3 which we only just fixed today, you'll see it has the same or similar issues and we haven't told anyone about it outside of those update notes. Enjoy!"

QNAP claim the hard-coded credentials in HBS 3 haven't been used, but point to the SQL Injection issue in the older firmware and Multimedia Console as the problem. Many, myself included, had these up to date at the time of the attack, but not the April 16 update of HBS 3. They did say to update HBS 3 afterwards in response to this attack, but still never released a Security Advisory about its injection issue. After the ransomware had started they put one out about the hard-coded credentials issue, but left out the injection issue.

I'm happy to be proven incorrect about any of this.
In regards to whether the HBS 3 vulnerability was the issue for most people, this was my last post about it. I'm still of the belief that it was the HSB 3 injection issue that was fixed 3 days before the attack and not the hard-coded credentials issue was that attack vector for most if not all people hit. I haven't seen anyone that I trust to give a correct answer say that they had HBS 3 version 16.0.0415 or didn't have HBS 3 installed before the attack. Even I made the mistake initially of thinking I had it up to date before I checked the event logs and saw I'd updated it between being attacked and realising I'd been attacked. It could also be the hard-coded credentials issue, but the only reason to suspect it isn't is taking QNAP at their word that it wasn't and they're not necessarily reliable right now.

I almost think they've been purposely obfuscating the fact that the injection vulnerability was in HBS 3 with how they usually only mention the old firmware and Multimedia Console updates, etc and their lack of mention about it in a Security Advisory. Most people I've seen have been pointing at the credentials issue in HBS 3.

Mousetick
Been there, done that
Posts: 947
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Sat Apr 24, 2021 7:23 am

parkzone wrote:
Sat Apr 24, 2021 6:35 am
I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?
Recommendation from the peanut gallery: turn the NAS back on, as soon as it's up, update Malware Remover and run it if it hasn't run automatically after the update. Then wait and hope that the ransomware will resume(*) encrypting files on your NAS.

This is not a joke. When you run the latest Malware Remover, it installs a "trap" that records the names of all files being encrypted, the encryption password, and skips the encryption. But for this to work, at least one encryption call has to be made to trigger the trap.

(*) Assuming you shut your NAS down while the ransomware was doing its job.

You can monitor whether the trap has caught anything by SSHing to the NAS and looking at the contents of the directory(*)

Code: Select all

/share/CACHEDEV1_DATA/.qpkg/MalwareRemover
and see if it contains a file named 7z.log, which you can copy elsewhere and open in a text editor.

(*) Assuming your System Volume is the first one, if not substitute CACHEDEV1_DATA with the corresponding volume name.

If there is nothing logged after quite a while, you're out of luck. The ransomware had finished its job by the time you shut down the NAS, or never resumed its job after you turned it back on. You will not be able to find out what password was used to encrypt your files.

User avatar
dolbyman
Guru
Posts: 22778
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat Apr 24, 2021 7:56 am

nice feature....you would think they would loud and proud advertise this ..no ?

Mousetick
Been there, done that
Posts: 947
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Sat Apr 24, 2021 8:18 am

dolbyman wrote:
Sat Apr 24, 2021 7:56 am
nice feature....you would think they would loud and proud advertise this ..no ?
They do... sort of.

viewtopic.php?f=45&t=160849&start=225#p787279

If you follow the manual installation steps posted at the KB article and download the linked 7z file, it's a small shell script that's a slightly modified version of what Malware Remover installs (the version installed by Malware Remover was posted by @jaysona some time earlier in this thread). You can open this script and see what it does, there's no secret.

On the other hand the QNAP rep on reddit says:
This is a hard one. You want more transparency on what malware remover is doing to your NAS. But the more transparent we are about how malware remover works, the more that information can be used against us in this hack attempt.

So at this time, we likely won't say much about what malware remover is doing. We are trying our best to stop this attack with Malware Remover and we won't say much about how exactly malware remover fighting Qlocker. Maybe in the future, we can say more. What I can say for now is the change being referred to is our attempt to fight Qlocker.
I think the lack of transparency from QNAP at this time may be due to not knowing for sure what vulnerability is being or has been exploited. The 7z "trap" walks up the process tree to find out from which (possibly QTS, if this is a command injection) program the encryption attack is launched.

Mousetick
Been there, done that
Posts: 947
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Sat Apr 24, 2021 8:32 am

Mousetick wrote:
Sat Apr 24, 2021 7:23 am
parkzone wrote:
Sat Apr 24, 2021 6:35 am
I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?
Recommendation from the peanut gallery: ...
<snip>
On second thought, the chances that this would succeed are quite slim. By shutting down the NAS, you likely made the malware go "poof" as it may not have been installed in a persistent location on the NAS. So in order for the encryption to resume, and as strange as this may sound, the NAS would need to be re-infected. In other words it would need to present exactly the same configuration and vulnerabilities that it had when it was first compromised. No change in configuration on the router side, no security or firmware updates on the NAS side. And on top of that, whatever botnet is launching the attacks would have to reconsider the NAS as a potential target. It may have already flagged it as "done", in which case it might not retry it ever.

One2go
Starting out
Posts: 38
Joined: Sun Jul 12, 2009 1:56 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by One2go » Sat Apr 24, 2021 8:35 am

Been following this thread here and the one on the Bleeping Computer and can't quite make out what was the cause and how it happened and it looks like many others are also scratching their head since there is no definitive statement on what was the cause for this. That it could have come through several different avenues does not speak well for QNAP as is also evident by the furious disposition by many who have lost data and now have to spend money & time to get back where they were a few days ago.

I have three QNAO NASs and neither is infected and will give my configuration before and what I have done since I first came to know of the ransom attack. All three NASs are running Raid 1 to protect from disc failure therefore never backed them up. Nothing irreplaceable is stored on them, but I do run an Emby server on one of them and love it hate loose the metadata and will back that one up through a plugin.

First off my Router had the settings for UPnP hidden and so it was on by default. Since the attack UPnP has been turned off after Googling where to find the setting. Also port forwarding was present, admin was User Name but had a very difficult password and after 5 unsuccessful login attempts IP address was banned for a day. No such failed login attempts were recorded. This was the case for all three NASs and I know this is not very secure. However I don't understand where some of these risky apps come from like multimedia console can't find it on any of the NASs were they part of a newer firmware and thus installed and enabled by default?

First NAS a TS-239 Pro which is EOL now, it was running QTS version 4.2.6 (2018-10-26) had QSync Central & MyQNAPCloud enabled but had none of the other dodgy apps. After knowing of the attack UPnP, QSync Central & MyQNAPCloud were disabled and QTS is now version 4.2.6 Date: 2021/03/27. However the Malware Remover is version 3.6.0.2 nothing newer because I believe EOL is the reason.

Second NAS a TS-253 Pro was running QTS 4.3.6.0895 (2019-03-28) with MyQNAPCloud & UPnP enabled. QSync Central, Hybrid Backup and Media Streaming Add-On were not installed and I couldn't find the Multimedia Console anywhere. After knowing of the attack UPnP & MyQNAPCloud were disabled and have not changed the QTS version yet. The Malware Remover is version 3.6.1.1 now.

Third NAS a TS-253Be was running QTS 4.3.6.0867 (2019-02-28) with MyQNAPCloud & UPnP enabled. QSync Central, Hybrid Backup and Media Streaming Add-On were not installed and also I couldn't find the Multimedia Console anywhere. After knowing of the attack UPnP & MyQNAPCloud were disabled and have not changed the QTS version yet. The Malware Remover is version 3.6.1.1 now.

The TS-239 Pro has been running 24/7 since July 2009 and the others also for a few years. Never a single hiccup just just doing the job I bought them for. The reason I am hesitant to update the firmware is, because it could break some of my configuration or I have no idea what kind of Trojan horse QNAP put into the newer firmware. So until some of the fog lifts and we have a better idea what QNAP has done what we are confronted with and what we can expect, I am very hesitant to do any further changes.

I created a new Admin login account and than disabled the fault admin account, immediately the IP address of the PC that I used to make the changes was banned. Removed it, banned again. Left the default admin account enabled no longer PC's IP address being banned. That is one I will follow up on.

One positive thing of this whole debacle, my knowledge of Linux has greatly increased which I really didn't want since everything was running just fine.

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9894
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Moogle Stiltzkin » Sat Apr 24, 2021 12:38 pm

anyone know what this is about? user claims he didn't expose nas but he got infected somehow?
https://www.reddit.com/r/qnap/comments/ ... &context=3
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
dolbyman
Guru
Posts: 22778
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dolbyman » Sat Apr 24, 2021 1:02 pm

reads as if that user mistook the presence of 7z, with an infection

jbennett360
Getting the hang of things
Posts: 65
Joined: Tue Aug 08, 2017 1:04 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jbennett360 » Sat Apr 24, 2021 1:29 pm

Moogle Stiltzkin wrote:
Sat Apr 24, 2021 12:38 pm
anyone know what this is about? user claims he didn't expose nas but he got infected somehow?
https://www.reddit.com/r/qnap/comments/ ... &context=3
Yeah I'd seen that.

I'm not buying it. I mean how else can the NAS be exploited if it can't be accessed from outside the LAN. It doesn't make any sense?

UPnP must have been enabled somewhere, or ports must have been forwarded.

It's the first one I've seen where that's been claimed too, so, I'd take it with a pinch of salt.

Edit: Not even sure he's been affected judging by another comment

Tbh, this latest thing has really caused me to reconsider using QNAP, I have a level of anxiety and apprehension that does not make me feel good. I have my files backed-up, but I am still nervous that I'll wake up one morning to a hacked NAS and a headache I would not want to deal with.

oNFUsKYO
First post
Posts: 1
Joined: Sat Apr 24, 2021 3:12 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by oNFUsKYO » Sat Apr 24, 2021 3:36 pm

A lot of you are giving QNAP too much credit and are almost "defending" this company... Please stop. It should NEVER be the end-user's fault for getting infected using (or not using) QNAP's own basic functionality/features. The end-user should not be getting blamed for attacks like these when it was one of QNAP's sole responsibilities to ensure the safety and security of all their users - from the front-end to the back-end. Unfortunately we were all failed by QNAP, who neglected to provide adequate protection and/or timely information to all of their users. There were no mass emails from this company urging people to upgrade the vulnerable apps - automatic updates/patches were not available (what if some of us could not get to our devices to update them manually in time?) - and very little effort was put towards ensuring the built-in functions of QNAP's devices did not contain backdoor-like entry-points. QNAP, in fact - did everything in their power to expose and endanger their userbase by forcing all sorts of bloat and unwanted/unneeded applications with each firmware upgrade. The blame falls on QNAP for failing to protect us. The end-user was (most likely) looking for a storage solution, but QNAP added backdoors and all sorts of Internet functionality to their storage devices that ~90%+ of users would never need to use.

Post Reply

Return to “Users' Corner”