[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
banesto2
New here
Posts: 5
Joined: Wed Dec 12, 2018 7:11 pm

Re: [RANSOMWARE] Deadbolt

Post by banesto2 »

domanm wrote: Fri Jan 28, 2022 5:52 am I had the opportunity to analyse the operation of this ramsomware a bit, so I will be happy to share some information, maybe it will be useful to someone.
The attack looks like that: in directory /mnt/HDA_ROOT/ is loaded an encryption program whose name is a number (e.g. /mnt/HDA_ROOT/18136) in the processes you will see the process with this name and if you have SSH access to the shell then you will be able to see it with ps or top. If only through a browser then in the resource monitor.
process.png
If in this directory you can see other files with a number in the name, it is probably a configuration file for the encryption program and it contains additional information, including information about the password or the password that encrypts the files.
If you've already shut down the server, you've already stopped encryption, and after turning on, deadbolt won't do anything else.

A separate element of the attack is the replacement of the /home/httpd/index.html file. This file is responsible for displaying the encryption message and blocks access to the server via the browser, additionally it executes scripts to decrypt the disk, but you need to know the 32-character decryption key. The program /mnt/HDA_ROOT/18136 is required for decryption. So we can't delete it if we want to decrypt the server.
There is one more /mnt/HDA_ROOT/update_pkg/SDDPd program that generates and replaces the index.html file on your server.
Below is a dump from the file /home/httpd/index.html
index.png

In order to enter the server through the browser and the message about the server encryption was not displayed, it is enough to add /cgi-bin/ to the url address
e.g. https://192.168.1.100/cgi-bin/

What to do (I assume you have shell access via ssh as admin):
1. If encryption is still in progress, view the running process
ps | grep HDA_ROOT
2. preview the contents of the /mnt/HDA_ROOT/ directory and find files with a number in the name on the list
ls -al /mnt/HDA_ROOT/
if there is also a file that was given as an argument after the -e parameter, be sure to copy or view it (there may be a password)
3. If the process is still running and we do not have a password, it is worth searching the files of this process in /proc/PID, where PID is the process identifier from point 1.
4.Stop the process (if you don't want to mess with setting a password, you can start right from this point)
kill -9 PID
where PID is the process number
5. Restore normal access to the server via the browser, i.e. restore the original file /home/httpd/index.html
mv /home/httpd/index.html.bak /home/httpd/index.html
DeadBolt leaves the original file with .bak in it, so there is no problem with restoring it
6. You can delete files all malicious files (but it is worth saving them somewhere on the side)
Some files have an additional non-deletable attribute and must be unlocked first.
chattr -i / mnt / HDAROOT / 18136
rm / mnt/HDA_ROOT/18136

chattr -i /mnt/HDAROOT/updatepkg/SDDPd.bin
rm /mnt/HDAROOT/updatepkg/SDDPd.bin

chattr -i /mnt/HDAROOT/updatepkg/.SDDPdrequired
rm /mnt/HDAROOT/updatepkg/.SDDPdrequired

7. Restart QNAP

By the way, I have a question if you have VPN PPTP enabled on your servers?
I have a strong suspicion that there is a software vulnerability there and that a session is being established without proper authorization.
I am monitoring the server and I have evidence that foreign addresses established sessions with my server and then entered the server as random users.

If in fact all attacked servers had VPN PPTP enabled, the problem is with this service, not with access via www, myQNAPCloud or HBS 3.
Is anyone able confirm when you shut down NAS and than turn ON, encryption will not continue? I was infected also on Tuesday and my NAS is turned off.
User avatar
dolbyman
Guru
Posts: 35032
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Just because someone says it doesn't make this true .. you fell for false advertisement and now you make up stuff.

We had this discussion may times over the last few years, where QNAP NAS were plagued with malware ... get those things out of the web and save the tears.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: [RANSOMWARE] Deadbolt

Post by FSC830 »

FSC830 wrote: Fri Jan 28, 2022 5:54 pm I am using 8 QNAP devices (3 of them are OEM), the oldest is in service for about 10(?) years.
None of these NAS have ever been infected by any malware.
But to be honest: I use this devices as NAS, and not as a one-for-all high sophisticated server.
I have never used services/apps like myqnapcloud, photo-station, download-station or anything else. My network is secured (hopefully) by a dedicated firewall/router. The latest NAS TS-473A with QTS 5.0.0.1891 does not use QuFirewall or QVPN.
All of the NAS are not exposed in any way to the internet!

So QNAP can be safe to use, it depends from services and configuration you are using!

Regards
I quote myself and add: of course I do accessing and syncing with my NAS and network when I am not at home: via VPN!
So QNAPs ad is not wrong at all, but you have to do additional steps to be secure!
After years and waves of malware attacks which have been published in several kinds of media this should be aware and wake up all QNAP NAS users.
But I am afraid, we will continue discussing the same topics when the next wave is on the way... :(

Regards
Ezelmannen
New here
Posts: 4
Joined: Thu Feb 19, 2015 1:03 am

Re: [RANSOMWARE] Deadbolt

Post by Ezelmannen »

I've seen no official responses from QNAP about how their investigation is going on 'Finding the Attack Vector' and 'Patching the hole for the Attack Vector'.
This is their official forum. I see nothing here.
Their Twitter is just spouting advertisments: https://twitter.com/qnap_nas
Their Facebook is just spouting advertisments, as late as frikkin yesterday: https://www.facebook.com/qnapnorden/?br ... 3248846784

I mean, if anything similar were to happen to for instance Microsofts 365 services then this twitter would NOT be silent! https://mobile.twitter.com/msft365status?lang=en

Am I expecting to much of them to be very active during an event like this and keeping their customers informed?
Or am I looking at the wrong channels?
User avatar
dolbyman
Guru
Posts: 35032
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Ezelmannen wrote: Sat Jan 29, 2022 5:31 am Am I expecting to much of them to be very active during an event like this and keeping their customers informed?
Or am I looking at the wrong channels?
They behave the same way as the last half dozen times this happened ... nothing new

Has to do with losing face when admitting fault (Asian thing)
Theliel
Know my way around
Posts: 124
Joined: Tue Jun 12, 2018 4:52 am

Re: [RANSOMWARE] Deadbolt

Post by Theliel »

pedroa wrote: Sat Jan 29, 2022 4:00 am
Wait... so what you are saying is that a NAS is basically... a shared external USB drive with a network cable? :lol:
It is a conversation that we have had many times, and it depends on anyone who asks may have one opinion or another. Is there a zero risk? No. No system is invulnerable. Even those who say that the "solution" is accessing by VPN, is also in itself a risk, since at the end of the VPN server is a software, and therefore susceptible to contain security problems that could potentially allow a Hacker sneaking into the local network. Whoever does this is assuming said risk in exchange for the benefit of being able to access (in one way or another) the NAS. Its exactly the same, It could even be much more dangerous, because if they managed to sneak into the local network, not only the NAS would be exposed.

On the one hand we advise that a NAS should be disconnected from the Internet to be "safe", but on the other hand all those present here (me too) exponed a large number of other devices towards Internet? Its no sense!! Our mobile has WiFi / data that make it connected 24/7 and keep many of our accounts (including VPN credentials in many cases). Our desktop and laptop equipment? the same. IoT devices, Router itself, TV ... Rare is the month that does not appear an remote code execution xploit in some browser!!

The only thing that happens is that we assume a risk between the potential danger that exists and usability / advantages. Even those where the NAS is completely isolated from the Internet and can only access from the local network, it is also vulnerable. An xploit in the router could allow remote access, and a hacker could therefore access the local network. Or a malware on a device from the local network to find the NAS and infect it (ask many companies that happened with Wannacry and SMB catastrophe)

The really important thing is not if the NAS is connected to the Internet or not. The really important thing is to always know the risks that bring to expose any device (mobile, NAS, PCS, IOT ...), knowing the necessary measures to minimize the risk (zero risk does not exist, never), and make the decision. It is crazy to expose any device (be a NAS or any other device) to the Internet without knowing that it is being done and know how to take the necessary measures. I agree with it. In the same way that you know the risks and take appropriate measures to minimize them to the maximum, it allows you to enjoy a huge amount of benefits, services and others, which are those that we usually want to acquire a device. After a while, a smartv would serve us if we do not connect it to the Internet, and we can think of our phone!

The decision at the end has to take each one, assess risks-benefits. I would never recommend anyone to expose an Internet device if he did not know minimally the risks and ways of protecting himself. The best defense against any infection, an xploit or any kind of malware, is a good education in computer security. If applied correctly, the risk that any device exposed to the Internet can be compromised is minimal. The best proof of this is that although unfortunately many users have been affected by this malware or other previous ones, many many others have not learned that something was happening. Many because the "noise" of the Internet has not been directed towards them, of course, but many others because they had done their job well.

I'm not calling anyone, on the contrary. I understand that it is a very broad and compliant matter in many aspects, and that for many it is suddenly finding a reality that did not have any idea even existed.
Last edited by Theliel on Sat Jan 29, 2022 5:50 am, edited 1 time in total.
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: [RANSOMWARE] Deadbolt

Post by darcon »

I'm new to QNAP, and I'm just curious if they have ever said it was okay to open the admin port to the internet? I know they don't recommend it now, just wondering if that's a new thing. I believe a lot of this is just QNAP being slow to adjust to the ever changing security landscape, and their customers are paying the price.

I do have a degree in CS and was not affected by this attack. I knew from experience what was a good idea and what wasn't. Most people aren't in IT and don't deal with cybersecurity on a daily basis. They rely on QNAP for that, and QNAP is failing.

I expose services (Nextcloud, Plex, WireGuard) on my Unraid NAS. I leverage a reverse proxy, LE, proxy everything through CloudFlare which does my Geoblock/WAF/misc traffic rules, and sandboxed containers. Just to show how safe I feel this setup is, I use my QNAP (LAN only) for daily scheduled backups, also have a few big external HDD's that I manually plug in for weekly backups, and finally I back up to tape once every month or so. This is excessive, the gear was free for me, so why not. Backing up your data to external hard drive(s) is sufficient. This is not trivial to setup (or maintain), but it shows what needs to be done to keep your data safe. Now, if my house gets hit by a tornado I'm screwed, but I'll take that risk. I have never had an issue with exposing these services, I won't be surprised if it happens though.
Last edited by darcon on Sat Jan 29, 2022 6:22 am, edited 6 times in total.
Ninecows80
Starting out
Posts: 33
Joined: Sat Nov 20, 2021 2:23 am

Re: [RANSOMWARE] Deadbolt

Post by Ninecows80 »

dolbyman wrote: Sat Jan 29, 2022 4:59 am Just because someone says it doesn't make this true .. you fell for false advertisement and now you make up stuff.

We had this discussion may times over the last few years, where QNAP NAS were plagued with malware ... get those things out of the web and save the tears.
No sir. You and other people here had this discussion. Here. On this forum. The regular non-pro home users who just need remote access to files and don’t check this forum regularly have not been warned. Neither do I log in to the qnap regularly. It’s a box in the basement. It stores movies and music. I only log on to the admin part of it if there’s something wrong. If I log on and there’s an update I will update. But I don’t log into it on a daily basis to check for updates. I believe it was updated last time in December. We’re not talking months or years of neglecting updates. I use the Qapps on my phone. And not even on a daily basis. Imagine if Qmanager gave me a notification that a critical update was recommended? Or warned that a security breach was found and I should turn of service xyz or port xyz ASAP? But no. It had two days to encrypt my files without any pro-active warning from Qnap. And it seems like it did so.

Ordinary people use the advertised services and functions. Qnap failed on that promise. Neither did they advise me to check this forum on a daily basis. Now they have a lot of clean up to do. Don’t blame users for that.

Not blaming the individual tech-guy at qnap. I’m pretty certain they’re going through hell now and I hope/trust they will find a good solution. I’m blaming management and marketing at qnap for over promising and under delivering. Can’t defend that.

My box is completely turned off now. Don’t even know how to access it without it being on the internet. It’s normally plugged into my router.
darcon
Starting out
Posts: 11
Joined: Wed Jan 26, 2022 5:59 am

Re: [RANSOMWARE] Deadbolt

Post by darcon »

Ninecows80 wrote: Sat Jan 29, 2022 5:59 am My box is completely turned off now. Don’t even know how to access it without it being on the internet. It’s normally plugged into my router.
If you have a static IP set just change the default gateway to 0.0.0.0 (and DNS too if you want). This will allow you to access your NAS locally, but it will not have any access to the internet.
User avatar
dolbyman
Guru
Posts: 35032
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Ninecows80 wrote: Sat Jan 29, 2022 5:59 am Not blaming the individual tech-guy at qnap. I’m pretty certain they’re going through ** now and I hope/trust they will find a good solution. I’m blaming management and marketing at qnap for over promising and under delivering. Can’t defend that.
Same thing they have been doing for years .. nothing .. (maybe doing panic decisions like malware removal apps, dubious tips and features like admin disable, 2Fa,etc) .... after a while they will start advertising their NAS a great private cloud appliances again ... we had this several times before
Ninecows80 wrote: Sat Jan 29, 2022 5:59 am My box is completely turned off now. Don’t even know how to access it without it being on the internet. It’s normally plugged into my router.
Having a NAS connected to your router has nothing to do with "accessing it from the internet", requests within your own subnet never make it to he NAT layer (or require any sort of NAT traversal in return)
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: [RANSOMWARE] Deadbolt

Post by QNAPDanielFL »

banesto2 wrote: Sat Jan 29, 2022 4:57 am
Is anyone able confirm when you shut down NAS and than turn ON, encryption will not continue? I was infected also on Tuesday and my NAS is turned off.
The encryption should not continue if you turn the NAS back on after it has been turned off.
Ninecows80
Starting out
Posts: 33
Joined: Sat Nov 20, 2021 2:23 am

Re: [RANSOMWARE] Deadbolt

Post by Ninecows80 »

Well… thanks for the advice, but that just shows the gap between the average home users knowledge and what is really needed to keep a NAS somewhat secure. Qnap might as well sell cars, claiming they’re so safe that a 5 yo could drive them.

In my simple world I have my ISP provided router setup in bridge mode, further connected to my google mesh thingy that would then act as router. The NAS is then connected with a LAN cable to the google mess’s single LAN port. In lack of more LAN ports I then had the NAS serving as virtual switch for a few cable’ed devices including my iMac.

I guess I need to access it to stop deadbolt, but then it has a physical connection to the internet? Do I change the google mess router lan ip to 0.0.0.0? Or the dhcp stuff?
User avatar
dolbyman
Guru
Posts: 35032
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Ninecows80 wrote: Sat Jan 29, 2022 6:41 am I guess I need to access it to stop deadbolt, but then it has a physical connection to the internet? Do I change the google mess router lan ip to 0.0.0.0? Or the dhcp stuff?
That was probably a tip on how to prevent a NAS from "phoning out" to prevent things like automatic updates of apps and FW. But for an already infected NAS, that is too late .. that tip is not for that.

You already have the heart attack, tips about a healthy lifestyle will be good for the future (if there is any), but for now that won't help.
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

QNAPDanielFL wrote: Sat Jan 29, 2022 6:39 am The encryption should not continue if you turn the NAS back on after it has been turned off.
We haven't always agreed on security matters and I've come down hard on you from time to time but kudos for not hiding now but trying your best to help when it's really, really bad. I have great respect for that!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] Deadbolt

Post by P3R »

Theliel wrote: Fri Jan 28, 2022 9:01 pm Dont use myqnapcloud...
myQNAPcloud Link isn't the same as the myQNAPcloud DDNS service that you think it is. myQNAPcloud Link is cloud access to the Qnap so it's a completely different service with a different attack surface. It's better than direct exposure but it isn't what I would recommend either as it's Internet access to the NAS operated by Qnap.
With QuFirewall you can select your own country, so all international traffic will be dropped.
And that will be effective long-term because luckily the bad guys are too stupid to use a VPN-service and also absolutely will never have access to global botnets that would allow them to attack natively from any country they wanted? You're only buying time...
To date, there have been no reports (of this particular attack or past ones) involving someone who had "hidden" their services.
No why would anybody bother with finding the guys that rely on security-by-obscurity when there are still low hanging fruit around to pick?

It's too much money in this criminal industry as so many are willing to pay the ransom to stop here. The criminals will continue even when it mean they have to use a little more effort to get that money. When there aren't thousands of users on port 443 any more (and at this rate they disappear by the hour when they become infected), the criminals will adapt. They will use bots that search for and build databases of targets using non-default ports.

The difference between us is that you base your advice on what the the criminals have done and do today. You still think that if you you just hide a little you're safe. Qnap have tried to recommend that ostrich tactic as well...

Me and several other oldtimers here have said that Qnap software isn't hardened enough to be directly exposed on the Internet since long before QSnatch (revealed late 2019 but started much earlier).

Your advice will probably buy users some months, maybe a year. It will give them hope that they can continue what they're doing and in the end it will lead to even more victims when that bubble burst as well. Ooops!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Users' Corner”