Page 1 of 1

QNAP-targeted ransomware is now a thing

Posted: Thu Jul 11, 2019 1:22 pm
by OneCD
Another first for QNAP. :(
The Hacker News wrote:A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News.

Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.

Dubbed "QNAPCrypt" by Intezer and "eCh0raix" by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.

...

As a reminder, we urge users not to, unknowingly or unnecessarily, connect their NAS devices directly to the Internet, and also enable automatic updates to keep firmware up-to-date.
SC wrote:The researchers said the threat actor appears to be scanning the internet for QNAP devices and then compromises those set up with weak passwords. The number of potentially vulnerable QNAP NAS drives is not known, Anomali said, adding the researchers have found samples compiled for ARM and Intel x86, leading us to believe it is present in both enterprise and home devices.

...

The ransomware code itself is very simple, containing just 400 lines and written in the Go programming language.

The ransomware reaches out to the URL http://192.99.206[.]61/d.php?s=started and then tells command and control server sg3dwqfpnr4sl5hh[.]onion via a SOCKS5 Tor proxy at 192.99.206[.]61:65000 it is up and running.

Re: QNAP-targeted ransomware is now a thing

Posted: Thu Jul 11, 2019 2:45 pm
by Moogle Stiltzkin
time to enable reserved space for snapshots. and also don't portforward qnap to the internet.
Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities.
these are the users that don't update qts at all, or have generally lax network security practices, like port forwarding the qnap or using upnp qnap+router, and poor passwords :S just a bunch of things that result in your network being compromised and the NAS easily targeted.

also if you're not actively using ssh, disable when not in use.

However, if a compromised NAS device is located in Belarus, Ukraine, or Russia, the ransomware terminates the file encryption process and exits without doing any harm to the files.
:shock:
Image


it's that or hillary or someone trying to frame them :lol:


⠀⠀⠀ ⠀⡠⠔⠒⠉⢉⣉⣙⣒⣠⣀
⠀⠀⠀⢠⠊⠐⡞⢩⣭⣭⣭⣀⡔⣒⡚⠇
⠀⠀⠠⠁⠀⠀⠉⢿⡘⠃⣸⠃⠓⠒⢦⠌⢦⡀
⠀⢀⠇⠀⠀⠀⠀⠠⢍⡉⠁⠐⠦⠤⠞⡀⠀⠀⢣
⠀⠘⠀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠛⠉⠉⢳⠄⠀⠸⡆
⠀⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣐⠁⠀ ⠀⠀
⠀⡇⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠀⠹⡄⠀⠀⠀
⡠⡇⠀⠀⠀⠀⠀⠀⠀⢷⣄⣀⡴⣤⣀⠴⠁⠀⠀⡇
⢣⠘⠢⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀
⠀⠑⣄⠈⠢⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠊⡰
⠀⠀⠈⠑⢄⡀⠁⠢⢄⡀⠀⠀⠀⠀⠀⢀⡠⠒⢁⠔
⠀⠀⠀⠀⠀⠈⠒⠤⣀⠀⠉⠒⡂⢤⡰⠫⣄⡰⠃
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠒⠼⠀⠠⡷⡀⠈

Re: QNAP-targeted ransomware is now a thing

Posted: Thu Jul 11, 2019 9:39 pm
by theincogtion
Just got a mail pointing to the new security advisory:
https://www.qnap.com/en/security-advisory/NAS-201907-11

My questions are:
To avoid infection, you must:

Update QTS to the latest version.
1. Which QTS version is insecure and which one is secure?
2. How can I find out if I am affected?
3. How does the malware gets on the system? About myqnapcloud?
4. What if my NAS is in a home network (secured by a router firewall)? Am I also affected?


As always the security advisory could give far more information....

Re: QNAP-targeted ransomware is now a thing

Posted: Thu Jul 11, 2019 9:45 pm
by dolbyman
well there was synolocker a couple of years ago ...now with crypto coins going back up .. it was a matter of time

suprised we havent heard of this yet (via forum posts)

Re: QNAP-targeted ransomware is now a thing

Posted: Thu Jul 11, 2019 10:53 pm
by Moogle Stiltzkin
update

what to do
Recommendation
To avoid infection, you must:

Update QTS to the latest version.
Install and update Malware Remover to the latest version.
Use a stronger admin password.
Enable Network Access Protection to protect accounts from brute force attacks.
Disable SSH and Telnet services if you are not using them.
Avoid using default port numbers 443 and 8080.
https://www.qnap.com/en/security-advisory/nas-201907-11

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 7:58 am
by OneCD
Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 8:14 am
by Moogle Stiltzkin
OneCD wrote:
Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(
:shock: what!

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 8:33 am
by OneCD
Yep, party’s over. ;)

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 9:37 am
by dolbyman
Moogle Stiltzkin wrote:
Fri Jul 12, 2019 8:14 am
OneCD wrote:
Fri Jul 12, 2019 7:58 am
Moogle Stiltzkin wrote:
Thu Jul 11, 2019 2:45 pm
time to enable reserved space for snapshots.
Snapshots only work if the attack surface is limited to shares (or iSCSI targets).

This ransomware is installed into the OS, so snapshots offer no protection. Snapshots can be ransomware-encrypted as easily as anything else on the NAS. :(

:shock: what!
thats why windows ransomware flushes/disables your shadowcopy service first (simmilar to snapshots)

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 10:05 am
by Moogle Stiltzkin
wow.... if thats the case then it's a waste i did snapshots on the raid1 ssd for my ts-877. next time i have a chance i'll just do a static vol next time.

i still use snapshots for the raid5 4x4tb just for convenience to rollback.

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 10:14 am
by dolbyman
snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 11:17 am
by OneCD
dolbyman wrote:
Fri Jul 12, 2019 10:14 am
snapshots DO help if a connected client is causing file changes or deletion..just not if the actual NAS is infected
... which I guess I should have made clearer. :geek:

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 4:35 pm
by umpa
I have just found out about this, I guess I live under a rock - lol. Some one has been trying to log in as administrator and the system added them to the ban list. It's something that happens from time to time - never really worried about it.

I tend to just let my Qnap's just get on with it, bad I know but I was so happy just to get them to work right security was not high on my list. Its been that way for years.

Most of mine are old legacy devices, that only get security updates & one of them is on 4.2.6 which the latest available to me as of today is QTS 4.2.6 build 20190629. The release notes don't say that this particular crypto issue is addressed in this released anyway.

I'm hesitant to install something into my NAS developed by a company who would rather me by a brand new one from them instead. I could be jumping out of the fire in to the frying pan, and I don't think Qnap would give two hoots if it all went pear shaped as a result of installing a new firmware.

That's how I feel about it anyway.

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 9:59 pm
by bapw@comcast.net
I have not dealt with ports before so how does one find out about which ones to use. Any info would be so much appreciated. Thank you.

Re: QNAP-targeted ransomware is now a thing

Posted: Fri Jul 12, 2019 10:01 pm
by dolbyman
best to use no portforwarding at all ... as those opens up the nas to attacks