[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Comy86
Starting out
Posts: 15
Joined: Thu Jan 27, 2022 2:15 am

Re: [RANSOMWARE] Deadbolt

Post by Comy86 »

I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
Davinvi
First post
Posts: 1
Joined: Fri Jan 28, 2022 1:01 am

Re: [RANSOMWARE] Deadbolt

Post by Davinvi »

Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Davinvi wrote: Fri Jan 28, 2022 1:08 am Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
What .. I think you are in the wrong thread here .. this is about malware infections of the NAS, not program issues with your NLVE
kspsystems
New here
Posts: 5
Joined: Wed Aug 01, 2018 8:23 am

Re: [RANSOMWARE] Deadbolt

Post by kspsystems »

Does anyone have a confirmed attack on units running any kind of 4.x QTS?
We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

kspsystems wrote: Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Pretty sure I have seen 4.5.x infection notices.

Question is how these systems you mention were exposed

Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?
Chadw1701a
New here
Posts: 5
Joined: Wed Jan 26, 2022 8:39 am

Re: [RANSOMWARE] Deadbolt

Post by Chadw1701a »

dolbyman wrote: Fri Jan 28, 2022 1:58 am
kspsystems wrote: Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Pretty sure I have seen 4.5.x infection notices.

Question is how these systems you mention were exposed

Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?

I was running 4.5x and was infected. I did have upnp enabled on my router and on the NAS and a plex port forwarded. I have since disabled upnp on both. Live and learn I guess. Now just waiting on instructions on how to reset the machine since the factory reset option doesn't remove the malware.
Hardware: TS-653A
kspsystems
New here
Posts: 5
Joined: Wed Aug 01, 2018 8:23 am

Re: [RANSOMWARE] Deadbolt

Post by kspsystems »

dolbyman wrote: Fri Jan 28, 2022 1:58 am
kspsystems wrote: Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Pretty sure I have seen 4.5.x infection notices.

Question is how these systems you mention were exposed

Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?
Thanks for the info, both were setup in similar ways using default ports with SSL enforced for the web connections, but they had different public IPs and were behind different types of firewalls. Might have just been luck.
We manage a pretty good amount of these units and for the most part they are not accessible from the outside world, but these two had use cases where they had to be. Just annoying to have to rebuild and restore from backups now.

Does anyone know where the attacks originated from? Specific IP ranges or geographical locations, etc?
Theliel
Know my way around
Posts: 124
Joined: Tue Jun 12, 2018 4:52 am

Re: [RANSOMWARE] Deadbolt

Post by Theliel »

dgagnon wrote: Fri Jan 28, 2022 12:17 am Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3.
Well, that does imply that they could be using a 0-day xploit after all. Another option would be an xploit launched on the administration area, but toward specific application. This has already happened with HBS, so the xploit would not go against the firmware itself, but against an app.

According to reports from other users, the service affected (by discarding) is the administration of the NAS, either directly against the NAS itself or towards any of its apps. In what port did you have it exposed? Did you use the default ports 8080/443? Could it be accessed by both http and https?

I have had a honeypot mounted for more than 24 hours to hunt it, the more I can delimit it, the more possibilities I would have. I have to start analyzing all the data.
crosis999
New here
Posts: 8
Joined: Mon Jan 10, 2022 11:15 pm

TO RECAP :: How this Exploit Works ...

Post by crosis999 »

So that i understand how this exploit was accomplished:

1. NAS users have an open port to the internet (eg. their router is port forwarding to the NAS on port 8080 or 443)
2. HBS Backup v3 is installed (one's QTS OS version doesnt matter, only that HBS Backup v3 is installed)
3. The exploiter is able to connect thru the open NAS port (eg. port 8080 thanks to port forwarding)
4. Using hardcoded credentials within HBS they gain access to the NAS as an administrator
5. The exploiter begins running an encryption program on every single file on the NAS

Is the above correct?
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

1. correct
2. actual vector is unknown
3. correct
4. that was two malware infection ago, current vector is unknown
5. correct
cylver
First post
Posts: 1
Joined: Fri Jan 28, 2022 2:55 am

Re: [RANSOMWARE] Deadbolt

Post by cylver »

QNAP THEN: Buy our products, they are great for remote and cloud use...


QNAP NOW: OMG ARE YOU KIDDING? YOU CONNECTED IT TO THE WEB!?!?

what a joke, I hope it is a 0 day and this company is too cheap to pay and go out of business. I don't have much money and losing $1000 to some bitcoin is going make me probably kill myself at this rate. Thanks QNAP, I'll give you a mention in my suicide note.
Bob Zelin
Experience counts
Posts: 1374
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

Re: [RANSOMWARE] Deadbolt

Post by Bob Zelin »

Davinvi wrote: Fri Jan 28, 2022 1:08 am Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
exactly what are you talking about ? This has nothing to do with Deadbolt. QNAP Works perfectly fine with AVID Media Composer. I do nothing but video editing systems with QNAP and Synology products, and if this setup correctly, there are no issues. Who on earth is your "regional support" - support from who ? AVID ? An AVID dealer ? This is absolute nonsense. You don't need an AVID Nexis. But Deadbolt is a real problem

bobzelin@icloud.com
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

cylver wrote: Fri Jan 28, 2022 3:00 am what a joke, I hope it is a 0 day and this company is too cheap to pay and go out of business.
I'm surprised no-one has mentioned a class-action lawsuit yet (whoops, just mentioned it). It's usually one of the first things suggested when a malware campaign begins. :DD

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
millercentral
New here
Posts: 2
Joined: Wed Sep 15, 2021 7:51 am

Re: [RANSOMWARE] Deadbolt

Post by millercentral »

While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

millercentral wrote: Fri Jan 28, 2022 3:28 am While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?
Why bother? .. how about not forwarding ports to your NAS ? .. How difficult is this to follow ?
Post Reply

Return to “Users' Corner”