[RANSOMWARE] Qlocker

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
rafale
Easy as a breeze
Posts: 350
Joined: Tue May 12, 2015 1:53 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by rafale »

P3R wrote: Sat May 01, 2021 3:48 am
rafale wrote: Sat May 01, 2021 2:59 am pfsense is UNIX based (FreeBSD) while opensense is LINUX.
If you mean the pfSense-fork OPNsense, then I think that it's still also FreeBSD-based.
You are absolutely correct. Not sure what I confused it with. Maybe IPfire which I was also evaluating at the time.
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

Steph38 wrote: Sat May 01, 2021 4:38 am Ok. Got it. Maybe I also did not use the correct volume to do the recovery. I used /dev/mapper/cachedev1 wjhich is system volume, I may chose another one ? no ?
How many volumes do you have? If you have more than one, and had files encrypted on them as well, yes you should run the program on these other volumes:
/dev/mapper/cachedev1
/dev/mapper/cachedev2
/dev/mapper/cachedev3
... and so on ...
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

Ericnepean wrote: Sat May 01, 2021 4:33 am I think I might be able to get along with pfSense.
You'll do great!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
ozstar
Easy as a breeze
Posts: 271
Joined: Mon Mar 13, 2017 3:33 pm
Location: Sydney Oz

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar »

I used PuTTy and PhotoRec and recovered 955,000 original files that were deleted before being encrypted.

I still have all the encrypted files (the whole NAS drive) in an image and they are also all still on the NAS, which I will clone in case someone comes up with a way to unencrypt.

A lot of work ahead matching original file names to the numbers that the files have been given however, I would rather this than have no file at all.

I will now take the drive out and attempt to get them back in tree and name order using my GetDatBack program.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

FYI I've been comparing HBS 15.0.0128 (vulnerable version) and 16.0.0415 (update with security fixes) and found:
- A fix for a security hole
- Two fixes for command injection vulnerabilities
(as described in the HBS release notes)

Your NAS is vulnerable if the file (actually a symbolic link)

Code: Select all

/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
exists and points to the file

Code: Select all

/etc/config/qsync/home/mgnt_cgi/hbs_mgnt.py
The directory

Code: Select all

/home/httpd/cgi-bin
contains the QTS web admin application and anything under it can be accessed via the QTS web ports (8080, 443 by default).

Therefore,

Code: Select all

/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
can be accessed via the QTS web ports.

If you're been following the ongoing investigation in this thread, hbs_mgnt is the component that contains the hardcoded 'jisoosocoolhbsmgnt' session id backdoor that allows an HTTP client to bypass username/password authentication.

What the 16.0.0415 (and later) version of HBS does is:
- remove the symbolic link

Code: Select all

/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
- remove the directory and its contents

Code: Select all

/etc/config/qsync/home/mgnt_cgi
- no longer installs the above


Don't ask me more details as I will not provide any.
You can easily confirm I'm not making things up by comparing

Code: Select all

/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
before and after the update to HBS 16.0.0415 or later.
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by AlastairStevenson »

Compliments on your analysis.
And many thanks for sharing.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
User avatar
Ericnepean
Know my way around
Posts: 132
Joined: Mon Jul 02, 2012 4:35 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Ericnepean »

@Mousetick
Great analysis, thanks for sharing
I wonder what other surprises we might find in /home/httpd/cgi-bin
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

Ericnepean wrote: Sun May 02, 2021 3:57 pm I wonder what other surprises we might find in /home/httpd/cgi-bin
This is the gateway to the NAS administration interface provided by the internal web server which runs with the highest system privileges. A successful exploit can in some cases give complete control of the machine. Security vulnerabilities were previously found (and fixed) there, more will undoubtedly be uncovered in the future.

A similar hole was found last year by security researchers, who built a proof of concept exploit opening a remote shell:
https://securingsam.com/new-vulnerabili ... -takeover/
They note they were basically ignored by QNAP. The hole was finally patched later by QNAP, however.
CastleClimbr
First post
Posts: 1
Joined: Sun May 02, 2021 10:41 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by CastleClimbr »

I just discovered that the NAS I set up in a little office was compromised on the 21.4 (late to the party I guess) :-P
The qnap was exposed to wan with a non-default port... lesson learned.
It took me this long to notice since the Network shares (that are used daily) weren't encrypted.
Only backups that are backed up off-site were encrypted, so as far as I can tell there should be no significant damage.
Time Machine did not recognize that the old backups were encrypted and just created new ones without prompting the users. (?!?)
I think I got very lucky since I randomly logged in to the NAS as it was encrypting and updated it. I also discovered in the logs that this update installed and ran the malware remover. So the attack was probably stopped while it was running.

I read through the previous posts but feel like I am in a weird position.
Is there a proper recovery process? The only 'safe' thing is probably to wipe/reset the NAS, but I can't get to where the NAS is deployed right now (covid) :-/.
I took all the steps that QNAP posted in their official response, but this thread seems to be miles ahead of what is communicated on official channels, so maybe you guys can help me out. :-)
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick »

In case you haven't seen it yet, there is an interesting "official" blog post from QNAP, conveniently located where no one can see it unless they look for it.
https://blog.qnap.com/nas-internet-connect-en/

It's interesting for 2 reasons:
- It acknowledges that QLocker exploited the security hole in HBS.
- It gives a lot of good advice to novice and non-technical users for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).

This is all well and good, but it's way too late and should have been posted on QNAP's main site, preferably the home page. Even then, most users who see it might react with: TL;DR. QNAP has got it backwards: the device should be configured securely by default, and users should go out of their way to dangerously expose it - not the other way around.

Saved for posterity:
qnaphbsqlocker.png
You do not have the required permissions to view the files attached to this post.
Last edited by Mousetick on Mon May 03, 2021 8:44 am, edited 1 time in total.
NS123
Starting out
Posts: 25
Joined: Sat Jul 25, 2015 10:31 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by NS123 »

perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app? More directly, will configuring the qufirewall as mentioned be an easy way to bulletproof our NAS's for those who don't need access off their local subnet? Thanks, N123
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by OneCD »

Mousetick wrote: Sun May 02, 2021 11:48 pm In case you haven't seen it yet, there is an interesting "official" blog post from QNAP, conveniently located where no one can see it unless they look for it.
https://blog.qnap.com/nas-internet-connect-en/

It's interesting for 2 reasons:
- It acknowledges that QLocker exploited the security hole in HBS.
- It gives a lot of good advice for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
Yes, a blog post with a large "Security News" graphic should have been put in the security news section of QNAP's site, which I check daily.

That someone didn't think to do this is quite "QNAP", don't you think? ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Ericnepean
Know my way around
Posts: 132
Joined: Mon Jul 02, 2012 4:35 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Ericnepean »

NS123 wrote: Mon May 03, 2021 1:54 am perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app? More directly, will configuring the qufirewall as mentioned be an easy way to bulletproof our NAS's for those who don't need access off their local subnet? Thanks, N123
Don't use your NAS as a security appliance. Don't count on the QNAP firewall for ANYTHING, don't count on the QNAP box for any security related thing for which it has to be expsoed to the internet (like a VPN).

This hack is worth millions. Those who were investigating Qlocker were able to watch some payments being made by watching the bitcoin wallets that they learned are being used for this exploit.
https://www.bleepingcomputer.com/news/s ... p-utility/
In the first 5 days, they saw $260,000 USD in payments being made. There were likely payments to other bitcoin wallets that they were unaware of.

Given this potential, the same gang is likely digging even further into the QNAP operating system to find more opportunities, and quite possibly their competitors are getting interested too.

You want to put your security features in something that ransomware developers isn't tied directly to QNAP. We all have a QNAP box. But some of us have Dlink routers, others Netgear, a few of us have Zyxel firewalls, others have pfSense. Undoubtly some ASUS, TPlink, Sonicwall and Linksys and probably a few that I missed.

Put your security in your firewall or router appliance. Perhaps get an even better router or firewall that will support VPNs. There's no 100% gaurantee of safety, but this will at at least make it more difficult for them.
Last edited by Ericnepean on Mon May 03, 2021 5:19 am, edited 1 time in total.
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
tarjaanX
First post
Posts: 1
Joined: Mon Dec 21, 2020 5:22 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by tarjaanX »

QNAPs answer is a joke. Just spent a lot of time to go through log files to find out that qnap disabled the sql server because of a weak password. :( No big warning that informs me of that nonsense.

HEY QNAP. We choose our passwords ourselves. When we use weak password then because we are in a protected network and don't need strong passwords. Don't try to educate us. Spent your time working on better quality software and not disabling services on my NAS because you can.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R »

NS123 wrote: Mon May 03, 2021 1:54 am perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app?
Probably but it's far, far better to never expose the system so that you will have to rely on the Qnap firewall as your last line of defence. It's like keeping the front door wide open but standing inside yourself to stop everyone that want to walk in. It's easier and better to simply close and lock the front door.

You should stop traffic already in your router/firewall, using the QuFirewall in the Qnap is then optional.

If you expose your Qnap on the internet, these steps should pu an end to that:
  1. Never ever use the so called DMZ feature for the Qnap.
  2. Remove any manual port forwarding done in the router/firewall that points at the Qnap.
  3. Go to the myQNAPcloud app in the web administration, click Auto Router Configuration and then disable UPnP port forwarding.
  4. If possible, disable UPnP port forwarding in your router/firewall as well.
  5. Reboot the router/firewall.
Last edited by P3R on Mon May 03, 2021 8:27 am, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Post Reply

Return to “Users' Corner”