[RANSOMWARE] >>READ 1st Post<< Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] Deadbolt

Post by jaysona »

dolbyman wrote: Wed Aug 17, 2022 12:32 am .... there is mitigation techniques like reverse proxies or application control firewalls, but we leave them out
A reverse proxy will not protect against malware, as the reverse proxy still makes the QTS Admin webpage and all of its vulnerability accessible from the Internet. All a reverse proxy does is hide the public IP address of the NAS and some reverse proxies can mitigate DDoS attacks, credential stuffing attacks, brute force attacks, etc.

I know of no WAF (Web Application Firewall) that provide any sort of security protection for consumer NAS admin interface such as QNAP.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman »

Well if the exploits are based on common attacks (QNAP sadly never really discloses the attack vectors in their CVEs) some reverse proxy configurations can be set with WAF

https://www.nginx.com/learn/waf-web-app ... -firewall/
https://github.com/SpiderLabs/ModSecurity

But I have never tried them out .. only see them mentioned occasionally in these malware topics .. hence I left them out :wink:
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] Deadbolt

Post by jaysona »

dolbyman wrote: Wed Aug 17, 2022 2:00 am Well if the exploits are based on common attacks (QNAP sadly never really discloses the attack vectors in their CVEs) some reverse proxy configurations can be set with WAF

https://www.nginx.com/learn/waf-web-app ... -firewall/
https://github.com/SpiderLabs/ModSecurity

But I have never tried them out .. only see them mentioned occasionally in these malware topics .. hence I left them out :wink:
All of the highly successful malware attacks against QNAP have been due to QNAP specific code being exploited, in those cases a reverse proxy does not provide any security protection. A ReverseProxy/WAF does not offer security protection against hard coded credentials, improper authentication token passing, etc.

ModSecurity is 20 years old now, is great for other types of web security stuff that is not relavent to QTS. Also, ModSecurity is nearing depreciation and should not be used anymore. ModSecurity has no rules for QTS Admin webpage and therefore can not perform any sort of intelligent HTML parsing of the data between the QTS Admin page webserver and the client.

As for CVE, well, QNAP has never published any CVE (aside from the hard coded credential thingy, iirc) for their code, they issue a QSA for their code - which goes to show just how disingenuous QNAP really is when it comes to security. The majority of the QNAP CVE numbers assigned are due to 3rd party code that QNAP relies on such as PHP, OpenSSL, smdb, etc. They want to look like they're doing something about security, but in reality they're trying to hide as much as they can.

Only time will tell if QNAP will improve on their disclosures or not. There are many bug hunters that are really quite ** off with QNAP because of how draconian QNAP tried to be with the people that disclose vulnerabilities to QNAP. There is a growing sentiment in the bug hunter community that QNAP has basically squandered any goodwill that is left.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

jaysona wrote: Wed Aug 17, 2022 2:29 am All of the highly successful malware attacks against QNAP have been due to QNAP specific code being exploited,...
I'm not trying to get into a "dispute" over details, but would comment that Deadbolt, as an example, which certainly has been successful, seems (to me at least) to have found a vulnerability in some "common" element that a number of vendors have used as at least 3 have been vulnerable. It would seem that something in the Linux distro used would make more sense rather than something QNAP specific. Not trying to defend them really, and it's hard to know based on available information whether this is the case or if multiple intrusion vectors were used to launch the same or similar payloads across the various platforms.

In any case, it is unfortunate the degree of success (and therefore damage inflicted) that they've (the hackers) had.
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [RANSOMWARE] Deadbolt

Post by jaysona »

dosborne wrote: Wed Aug 17, 2022 2:54 am ... some "common" element ...
Absoloutely
... something in the Linux distro used ...
Not at all.

QTS and ADM are extremely different builds of Linux, ADM has a proper user space, has a root user, su, sudo, etc. The common element is that the web administration interfaces use a poorly written cgi-bin with improper checking which permits authentication bypass.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
atlantis2000
Starting out
Posts: 11
Joined: Fri Oct 19, 2018 8:19 pm

Re: [RANSOMWARE] Deadbolt

Post by atlantis2000 »

Greetings...i am about to pay the ransom. Just want to make sure the hackers have been giving out keys RECENTLY. Please advise. Thanks.
atlantis2000
Starting out
Posts: 11
Joined: Fri Oct 19, 2018 8:19 pm

Re: [RANSOMWARE] Deadbolt

Post by atlantis2000 »

Also, what are the steps for making the payment via blockchain.com? Thanks.
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] Deadbolt

Post by OneCD »

atlantis2000 wrote: Fri Aug 19, 2022 9:33 am Greetings...i am about to pay the ransom. Just want to make sure the hackers have been giving out keys RECENTLY. Please advise. Thanks.
There are no guarantees, but the hackers posted a decryption key as recently as 15 hours ago.

If you keep an eye on this address, each low-value outgoing payment is to the same address each ransomware victim paid-into. The outgoing payment is used to provide the victim with their decryption key.

At present, there appear to be fairly continuous outgoings, but they are reactionary: i.e. based-on victim payments. If no-one else paid the ransom amount, I expect the outgoings would stop too.
atlantis2000 wrote: Fri Aug 19, 2022 9:46 am Also, what are the steps for making the payment via blockchain.com? Thanks.
Sorry, can't help there. I've neither bought nor sold any of the crypto-currencies. Maybe one-day I will, but I'm still waiting to see if it's just a fad that dies-out. ;)

Maybe someone else can advise?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

atlantis2000 wrote: Fri Aug 19, 2022 9:46 am Also, what are the steps for making the payment via blockchain.com? Thanks.
You should start by carefully reading post #1 in this thread. viewtopic.php?f=45&t=164797#p808527

In there, you will find lots of important information including a link to a users detailed story of what they did. The same process should work with other exchanges.

viewtopic.php?p=810191#p810191
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
atlantis2000
Starting out
Posts: 11
Joined: Fri Oct 19, 2018 8:19 pm

Re: [RANSOMWARE] Deadbolt

Post by atlantis2000 »

OneCD wrote: Fri Aug 19, 2022 2:45 pm
atlantis2000 wrote: Fri Aug 19, 2022 9:33 am Greetings...i am about to pay the ransom. Just want to make sure the hackers have been giving out keys RECENTLY. Please advise. Thanks.
There are no guarantees, but the hackers posted a decryption key as recently as 15 hours ago.

If you keep an eye on this address, each low-value outgoing payment is to the same address each ransomware victim paid-into. The outgoing payment is used to provide the victim with their decryption key.

At present, there appear to be fairly continuous outgoings, but they are reactionary: i.e. based-on victim payments. If no-one else paid the ransom amount, I expect the outgoings would stop too.
atlantis2000 wrote: Fri Aug 19, 2022 9:46 am Also, what are the steps for making the payment via blockchain.com? Thanks.
Sorry, can't help there. I've neither bought nor sold any of the crypto-currencies. Maybe one-day I will, but I'm still waiting to see if it's just a fad that dies-out. ;)

Maybe someone else can advise?
@OneCD , you've helped so many of us. You are the best....I will go ahead and make payment and I know I will need your help finding the decryption key...
QUESTION: the address on that blockchain webpage is DIFFERENT from the one I have to send the payment to...how is that possible? Does that make sense? (Let me know if I need to clarify my question.) Thank you in advance for your help!!!!!!
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

atlantis2000 wrote: Fri Aug 19, 2022 8:47 pm \....I will go ahead I know I will need your help finding the decryption key...
Instructions on how to get your key have been posted many times. No need for help, just follow the directions.
viewtopic.php?p=818604#p818604
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
atlantis2000
Starting out
Posts: 11
Joined: Fri Oct 19, 2018 8:19 pm

Re: [RANSOMWARE] Deadbolt

Post by atlantis2000 »

dosborne wrote: Fri Aug 19, 2022 9:01 pm
atlantis2000 wrote: Fri Aug 19, 2022 8:47 pm \....I will go ahead I know I will need your help finding the decryption key...
Instructions on how to get your key have been posted many times. No need for help, just follow the directions.
viewtopic.php?p=818604#p818604
@dosborne ..thank you...the address I need to send payment to is 41 characters long,... is that how long these addresses are???
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [RANSOMWARE] Deadbolt

Post by dosborne »

There are many examples in this thread so you can do your own comparison :)

One example of many viewtopic.php?f=45&t=164797&start=1230#p824014
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
Geraud W
New here
Posts: 5
Joined: Tue Aug 16, 2022 2:28 am

Re: [RANSOMWARE] Deadbolt

Post by Geraud W »

OneCD wrote: Fri Jul 22, 2022 10:00 am
kkvaws wrote: Fri Jul 22, 2022 9:56 amHey OneCD

how were you able to get decryption key I looked and blockchain and could not find OPT_RETURN for that transaction.
The OP_RETURN we need is posted under the hacker’s follow-up payment of +0.00005460 BTC into the same BTC address the victim pays into.

So, if we have the victim’s payment transaction hash, we need to check for other transactions on the address they paid into. This is how I found the decryption key. ;)
--
OneCD, i did'nt found my BTC adress to pay. Probably the update of the NAS firmware deleted it.
We can imagine with some info of my nas, that the ransomer could give me the BTC address, no?
atlantis2000
Starting out
Posts: 11
Joined: Fri Oct 19, 2018 8:19 pm

Re: [RANSOMWARE] Deadbolt

Post by atlantis2000 »

atlantis2000 wrote: Fri Aug 19, 2022 8:47 pm
OneCD wrote: Fri Aug 19, 2022 2:45 pm
atlantis2000 wrote: Fri Aug 19, 2022 9:33 am Greetings...i am about to pay the ransom. Just want to make sure the hackers have been giving out keys RECENTLY. Please advise. Thanks.
There are no guarantees, but the hackers posted a decryption key as recently as 15 hours ago.

If you keep an eye on this address, each low-value outgoing payment is to the same address each ransomware victim paid-into. The outgoing payment is used to provide the victim with their decryption key.

At present, there appear to be fairly continuous outgoings, but they are reactionary: i.e. based-on victim payments. If no-one else paid the ransom amount, I expect the outgoings would stop too.
atlantis2000 wrote: Fri Aug 19, 2022 9:46 am Also, what are the steps for making the payment via blockchain.com? Thanks.
Sorry, can't help there. I've neither bought nor sold any of the crypto-currencies. Maybe one-day I will, but I'm still waiting to see if it's just a fad that dies-out. ;)

Maybe someone else can advise?
@OneCD , you've helped so many of us. You are the best....I will go ahead and make payment and I know I will need your help finding the decryption key...
QUESTION: the address on that blockchain webpage is DIFFERENT from the one I have to send the payment to...how is that possible? Does that make sense? (Let me know if I need to clarify my question.) Thank you in advance for your help!!!!!!

@OneCD
ARGH!!! Looks like a don't have enough funds in my account by a very very small amount. I need to pay 0.05 and my account has 0.04999....ARGH!!! now I have to wait and deposit from my bank which will take 3 biz days...ARGH!
Post Reply

Return to “Users' Corner”