[RANSOMWARE] >>READ 1st Post<< Deadbolt
-
- Starting out
- Posts: 15
- Joined: Thu Jan 27, 2022 2:15 am
Re: [RANSOMWARE] Deadbolt
I've decided to pay the ransom. I know that's not how we should deal with this kind of situations, but I have no choice, the information that I had is essential. Unfortunately, it's a hard-learned lesson.
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
I'll let you know how it goes.
After it will decrypt the files, I'll copy them on another HDD and then deal with the NAS and the NAS HDD's (while I'll keep the NAS disconnected from the internet)
After this, I'll come back and ask advices on how to protect&back-up my NAS
-
- First post
- Posts: 1
- Joined: Fri Jan 28, 2022 1:01 am
Re: [RANSOMWARE] Deadbolt
Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
What .. I think you are in the wrong thread here .. this is about malware infections of the NAS, not program issues with your NLVEDavinvi wrote: ↑Fri Jan 28, 2022 1:08 am Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
-
- New here
- Posts: 5
- Joined: Wed Aug 01, 2018 8:23 am
Re: [RANSOMWARE] Deadbolt
Does anyone have a confirmed attack on units running any kind of 4.x QTS?
We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Pretty sure I have seen 4.5.x infection notices.kspsystems wrote: ↑Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Question is how these systems you mention were exposed
Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?
-
- New here
- Posts: 5
- Joined: Wed Jan 26, 2022 8:39 am
Re: [RANSOMWARE] Deadbolt
dolbyman wrote: ↑Fri Jan 28, 2022 1:58 amPretty sure I have seen 4.5.x infection notices.kspsystems wrote: ↑Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Question is how these systems you mention were exposed
Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?
I was running 4.5x and was infected. I did have upnp enabled on my router and on the NAS and a plex port forwarded. I have since disabled upnp on both. Live and learn I guess. Now just waiting on instructions on how to reset the machine since the factory reset option doesn't remove the malware.
Hardware: TS-653A
-
- New here
- Posts: 5
- Joined: Wed Aug 01, 2018 8:23 am
Re: [RANSOMWARE] Deadbolt
Thanks for the info, both were setup in similar ways using default ports with SSL enforced for the web connections, but they had different public IPs and were behind different types of firewalls. Might have just been luck.dolbyman wrote: ↑Fri Jan 28, 2022 1:58 amPretty sure I have seen 4.5.x infection notices.kspsystems wrote: ↑Fri Jan 28, 2022 1:55 am We've had one running a nearly-current 5.x OS compromised, but yet another one on 4.x did not.
Question is how these systems you mention were exposed
Different public IP's ?
Different forwarded ports (one with a default , one with a non default port?)
reverse proxy for different direct exposed units via FQDN ?
We manage a pretty good amount of these units and for the most part they are not accessible from the outside world, but these two had use cases where they had to be. Just annoying to have to rebuild and restore from backups now.
Does anyone know where the attacks originated from? Specific IP ranges or geographical locations, etc?
-
- Know my way around
- Posts: 124
- Joined: Tue Jun 12, 2018 4:52 am
Re: [RANSOMWARE] Deadbolt
Well, that does imply that they could be using a 0-day xploit after all. Another option would be an xploit launched on the administration area, but toward specific application. This has already happened with HBS, so the xploit would not go against the firmware itself, but against an app.
According to reports from other users, the service affected (by discarding) is the administration of the NAS, either directly against the NAS itself or towards any of its apps. In what port did you have it exposed? Did you use the default ports 8080/443? Could it be accessed by both http and https?
I have had a honeypot mounted for more than 24 hours to hunt it, the more I can delimit it, the more possibilities I would have. I have to start analyzing all the data.
-
- New here
- Posts: 8
- Joined: Mon Jan 10, 2022 11:15 pm
TO RECAP :: How this Exploit Works ...
So that i understand how this exploit was accomplished:
1. NAS users have an open port to the internet (eg. their router is port forwarding to the NAS on port 8080 or 443)
2. HBS Backup v3 is installed (one's QTS OS version doesnt matter, only that HBS Backup v3 is installed)
3. The exploiter is able to connect thru the open NAS port (eg. port 8080 thanks to port forwarding)
4. Using hardcoded credentials within HBS they gain access to the NAS as an administrator
5. The exploiter begins running an encryption program on every single file on the NAS
Is the above correct?
1. NAS users have an open port to the internet (eg. their router is port forwarding to the NAS on port 8080 or 443)
2. HBS Backup v3 is installed (one's QTS OS version doesnt matter, only that HBS Backup v3 is installed)
3. The exploiter is able to connect thru the open NAS port (eg. port 8080 thanks to port forwarding)
4. Using hardcoded credentials within HBS they gain access to the NAS as an administrator
5. The exploiter begins running an encryption program on every single file on the NAS
Is the above correct?
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
1. correct
2. actual vector is unknown
3. correct
4. that was two malware infection ago, current vector is unknown
5. correct
2. actual vector is unknown
3. correct
4. that was two malware infection ago, current vector is unknown
5. correct
-
- First post
- Posts: 1
- Joined: Fri Jan 28, 2022 2:55 am
Re: [RANSOMWARE] Deadbolt
QNAP THEN: Buy our products, they are great for remote and cloud use...
QNAP NOW: OMG ARE YOU KIDDING? YOU CONNECTED IT TO THE WEB!?!?
what a joke, I hope it is a 0 day and this company is too cheap to pay and go out of business. I don't have much money and losing $1000 to some bitcoin is going make me probably kill myself at this rate. Thanks QNAP, I'll give you a mention in my suicide note.
QNAP NOW: OMG ARE YOU KIDDING? YOU CONNECTED IT TO THE WEB!?!?
what a joke, I hope it is a 0 day and this company is too cheap to pay and go out of business. I don't have much money and losing $1000 to some bitcoin is going make me probably kill myself at this rate. Thanks QNAP, I'll give you a mention in my suicide note.
-
- Experience counts
- Posts: 1374
- Joined: Mon Nov 21, 2016 12:55 am
- Location: Orlando, FL.
- Contact:
Re: [RANSOMWARE] Deadbolt
exactly what are you talking about ? This has nothing to do with Deadbolt. QNAP Works perfectly fine with AVID Media Composer. I do nothing but video editing systems with QNAP and Synology products, and if this setup correctly, there are no issues. Who on earth is your "regional support" - support from who ? AVID ? An AVID dealer ? This is absolute nonsense. You don't need an AVID Nexis. But Deadbolt is a real problemDavinvi wrote: ↑Fri Jan 28, 2022 1:08 am Hello, I had the same issue with my media composer, so I contacted my regional support he said that he could “exceptionally” help me by making some changes in my Avid settings, it did work for some days but after that my QNAP NAS automatically logged out and the I faced the same problem again, after contacting him for the second time he said that that was the only way and now if im willing to proceed my project using Avid media composer the only available solution is to replace my QNAP NAS with Avid Nexis
bobzelin@icloud.com
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
http://www.bobzelin.com
- OneCD
- Guru
- Posts: 12039
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] Deadbolt
I'm surprised no-one has mentioned a class-action lawsuit yet (whoops, just mentioned it). It's usually one of the first things suggested when a malware campaign begins.
-
- New here
- Posts: 2
- Joined: Wed Sep 15, 2021 7:51 am
Re: [RANSOMWARE] Deadbolt
While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] Deadbolt
Why bother? .. how about not forwarding ports to your NAS ? .. How difficult is this to follow ?millercentral wrote: ↑Fri Jan 28, 2022 3:28 am While pulling the NAS offline is the best defense, I wonder based on what has been learned if there would be value/peace of mind if a shell script expert could create a script that could monitor for the random file being added to /MNT/HDA_ROOT and immediately kill it/delete it if discovered?