[RANSOMWARE] >>READ 1st Post<< Deadbolt

[jswain]

Has anyone reset their QNAP NAS back to factory settings (reset) and if so did it get rid of deadbolt? Looking for an answer before i reset mine back to factory.

Also, when i realised what was happening i switched off my NAS, then rebooted with a keyboard and monitor plugged in and logged in to admin screen, from there you can reset to factory if you want but more interestingly deadbolt stopped running, i can access my files across the network and see which files were locked by checking the folders (most of mine are locked), this has allowed me to copy off anything that was not locked.

[chumbo]

I didn't say I believe they will, I said I hope they will, because it's the right and fair thing to do...

It may be fair to the affected customers but it's not the right thing to do. Paying ransoms and thereby financing organized crime to continue and strengthen their activities is, or at least should be, very controversial. Except for the relatively few affected victims, it's negative for the rest of the world that use IT equipment. Paying the ransom is never the right thing to do, it's at best the least awful thing to do.

Also since we now have users paying ransom that report the unlock key didn't work, how could Qnap be sure that the master key they may receive would work? They could be throwing 2 million dollars into a black hole...

I've only heard of one user having paid the ransom and admitting it might be attributed to a mistake in the amount paid, which seems like a plausible explanation. Just like it might be bad press for a company to pay a ransom, it's just as bad for hackers to not deliver on their promises for the very obvious reasons (and why would they anyway?).
Let me put it very plain and simple as to why I think QNAP should pay the ransom (unless they can come up with another solution to restore user files). If they don't, I will! Because those files are REALLY important to me. And that's plain unfair for me the innocent end-user who put my trust in a company's product which promises me the security of my files, to have to pay to get those files back because the company failed to secure them!
And that's really the key issue here...QNAP failed to secure their NASes! It's blatantly obvious if you google and compare the sheer number of attacks on QNAP NASes when compared to Synology.

And I don't think that in the big scheme of things, this is going to bring down worldwide security and finance even more sophisticated attacks. The hackers will probably blow it on whatever luxury tickles them and move on to the next easiest hack ...a QNAP ransomware for instance?

[luckydekko]

Got this as a response…

Dear customer,

Thank you very much for contacting QNAP support.

We really apologize for all troubles.

After early investigation we believe that the attack is related to qsa-21-57
https://www.qnap.com/en/security-advisory/qsa-21-57
So we strongly recommended to update QTS or QuTS hero to latest firmware 4.5.4 1892 or 5.0.0 1891 and disable port forwarding to stop exposing nas to internet directly as link below. https://www.qnap.com/en/security-news/2 ... e-together

Please, restore files from good backup/snapshot, Malware Remover will update new policy to clean deadbolt malware lately, or you can enable helpdesk remote, Qnap support will help you remove it manually

Notice : once remove deadbolt from nas, you can’t decrypt files even have correct password

If you cannot access the NAS web interface, please use Qfinder to find the NAS IP address:

Example: (Qfinder available at https://www.qnap.com/en-uk/utilities/essentials )

[dolbyman]

QTS 5.0.0.1891 build 20211221 and later
QTS 4.5.4.1892 build 20211223 and later
QuTS hero h5.0.0.1892 build 20211222 and later
QuTScloud c5.0.0.1919 build 20220119 and later

Seems unlikely that all these deadbolded people had firmware older than late November 2021 running on their NAS

[jaysona]

....
After early investigation we believe that the attack is related to qsa-21-57
https://www.qnap.com/en/security-advisory/qsa-21-57
....

While disappointing, this is not surprising to see such level of opacity from QNAP.

QSA-12-57 is the internal QNAP designation for a vulnerability, but there is no CVE associated. This indicates that the vulnerability is a QNAP specific vulnerability and QNAP does not feel like making any sort of public disclosure as required when a CVE number is assigned.

[clevelas]

According to the advisory, the advisory wasn't published until January 13th. I don't know when the update actually became available to the public. I just updated a few days ago. I'm hoping I'll be OK when I get home this evening.

[Keano16]

I updated both of my NAS's couple of days ago. Thank God.

Anyway, are you guys getting email notifications about replies on this forum? I turned them on, but nothing is coming.

Thanks

[pofjybkh]

I am sorry for not responding yesterday. This all happened while I was taking a sick day so I was not very active on the forums.

I hope to have more to say soon.

We are also testing on our end. But I want to ask for user experience if people find the snapshots are deleted or if they can recover from snapshots?
Does running programs like PhotoRec allow for recovering files, (though without file structure)?

I saw a reference to the 7z log trick and I was not sure what that is. Does anyone know?
"I powered-off mine as soon as I noticed, so I only lost a few files, but this way I lost the option of doing the 7z log trick."

We are working on figuring out a better solution on our end. But if you have information you think I should share with the PSIRT team, please let me know.

If you have questions you would like me to ask the PSIRT team, please let me know.

If the attack is still running, you can replace the 7z binary with a script that instead of compressing files, will just logs the parameters that were used to call it to a log file; this way you can extract the encryption password (from here https://www.bleepingcomputer.com/forums ... -nas-hack/)

[dolbyman]

is deadbolt using 7z as well ?

[pofjybkh]

is deadbolt using 7z as well ?

I can't really say, but that would have been a way to know for sure

[Theliel]

As I have said many times. There is no zero risk in any system or Software. In CVE terms, Synology its more vulnerable.

The really important thing here is to know two fundamental questions:

1. Has anyone been infected by having the NAS with the latest firmware? The latest released version is at least a month old. If the security bulletin released by QNAP is true (I guess it's still under investigation), it's not a 0-day xploit, because last version is not affected.
2. Which service has been affected? Obviously exposing everything by upnp is outrageous, and default ports its even greater risk.

From what has been discussed in the thread so far, no one with the NAS running the latest version has been infected, at least for now. We have a report of a user using firmware 1870 that has been compromised, no one with 1891+.

Regarding the affected service, another have been affected without upnp, but he had known ports 8080, 21, 80, 443 and 3389 mapped. We can rule out 3389. I highly doubt it was FTP. So it is most likely that the vulnerability was taking advantage of a bug in the main NAS service (by default 8080/443). It could also be the web server (not the administration part).

The more data affected users can give us, the faster we can be clear about the attack vector, and therefore the real solution.

-------------

I still strongly recommend NEVER to use the known ports (by default), and in case of exposing the NAS, expose only the really necessary services (no upnp). And of course having the software (both system and applications) always updated is the most imperative. I would also like to remind you that the QuFirewall application is available to everyone, and if configured correctly, the risk of any kind of attacks of this type (which are indiscriminate, without a specific objective) is practically zero.

[FSC830]

Let me put it very plain and simple as to why I think QNAP should pay the ransom (unless they can come up with another solution to restore user files). If they don't, I will! Because those files are REALLY important to me. And that's plain unfair for me the innocent end-user who put my trust in a company's product which promises me the security of my files, to have to pay to get those files back because the company failed to secure them!
And that's really the key issue here...QNAP failed to secure their NASes! It's blatantly obvious if you google and compare the sheer number of attacks on QNAP NASes when compared to Synology.

And I don't think that in the big scheme of things, this is going to bring down worldwide security and finance even more sophisticated attacks. The hackers will probably blow it on whatever luxury tickles them and move on to the next easiest hack ...a QNAP ransomware for instance?

Sorry to say, but you are wrong!
Not QNAP is the culprit, that is only you! You have put your NAS unsecure into the internet! You did not took any actions, even you have been warned a couple of months ago.
If you are buying a car, do you need an advise "do not drive with 100mph against a wall"?
The problem here is, that a majority of users are not aware of the risks when connecting their devices to the internet.
This is not only affecting NAS devices, but all devices which are connected to the internet.

And I agree, never ever pay such criminals only a single buck!

Once again sorry, but this is also a mistake from a majority of users: they often think "hey, its a NAS, my data is secure" And this is also wrong, a NAS can break down, not only a single drive (for that is Raid), but the complete NAS can fail. Therefore an actual and periodical backup strategy is mandatory.
This is, what most users are not aware, too!

Another idea what may be happens, if you pay the hacker: how can you be sure, that the malware did not create a backdoor in your system?
So it could be very easy for him to prepare the next assault to your system!
The onliest solution is to clean all drives and start from scratch!
And do not forget to investigate the rest of your LAN if any other device is compromised!
Professional help is a good choice.

Regards

[jaysona]

As I have said many times. There is no zero risk in any system or Software. In CVE terms, Synology its more vulnerable.

Not at all. CVE entries just mean that Synology is more transparent.

Look at a lot of the release notes for QNAP updates, they just contain "security fix" this means that QNAP is being opaque about the vulnerabilities in QTS and what the fixes are.

QuFirewall application is available to everyone, and if configured correctly, the risk of any kind of attacks of this type (which are indiscriminate, without a specific objective) is practically zero.

So much wow! The risk *is not* practically zero if the NAS is accessible from the Internet, even with QuFirewall enabled. Smh.

I'm trying to get my hands on a used TS-670 that I can hang off one of my static IPs and see if gets compromised - hopefully it will.

[jswain]

I just reset my NAS to factory settings (reinitialize so it wipes everything) and after switching on it still has the deadbolt message!

[Theliel]

Not at all. CVE entries just mean that Synology is more transparent.

CVEs are not only reported by those involved, obviously. These can be reported by essentially any security company, large companies... and even private investigators can carry out the reporting process. This is done precisely to prevent the affected company itself from manipulating the data.

So much wow! The risk *is not* practically zero if the NAS is accessible from the Internet, even with QuFirewall enabled. Smh.

Avoiding a targeted attack is almost impossible, they will always be able to find a place to sneak in no matter how secure the system is. But this is the last concern for an "individual" user, even for the vast majority of small businesses. I have been in the world of computer security for many years, I have never seen a device affected by massive attacks of this type (without a particular objective) that complied with the security measures recommended by experts in the field. Obviously by xploit, whether the infection was due directly or indirectly to social engineering is another matter.

Out of curiosity, I have set up a Honeypot, to see if I am lucky and I can catch something.