You are absolutely correct. Not sure what I confused it with. Maybe IPfire which I was also evaluating at the time.
[RANSOMWARE] Qlocker
- rafale
- Easy as a breeze
- Posts: 350
- Joined: Tue May 12, 2015 1:53 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
How many volumes do you have? If you have more than one, and had files encrypted on them as well, yes you should run the program on these other volumes:
/dev/mapper/cachedev1
/dev/mapper/cachedev2
/dev/mapper/cachedev3
... and so on ...
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
You'll do great!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Easy as a breeze
- Posts: 271
- Joined: Mon Mar 13, 2017 3:33 pm
- Location: Sydney Oz
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I used PuTTy and PhotoRec and recovered 955,000 original files that were deleted before being encrypted.
I still have all the encrypted files (the whole NAS drive) in an image and they are also all still on the NAS, which I will clone in case someone comes up with a way to unencrypt.
A lot of work ahead matching original file names to the numbers that the files have been given however, I would rather this than have no file at all.
I will now take the drive out and attempt to get them back in tree and name order using my GetDatBack program.
I still have all the encrypted files (the whole NAS drive) in an image and they are also all still on the NAS, which I will clone in case someone comes up with a way to unencrypt.
A lot of work ahead matching original file names to the numbers that the files have been given however, I would rather this than have no file at all.
I will now take the drive out and attempt to get them back in tree and name order using my GetDatBack program.
QNAP TS-231P 2 x 4TB Group 1 RAID 1
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
QNAP TS-451A 3 x 2 TB Group 1 RAID 5
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
FYI I've been comparing HBS 15.0.0128 (vulnerable version) and 16.0.0415 (update with security fixes) and found:
- A fix for a security hole
- Two fixes for command injection vulnerabilities
(as described in the HBS release notes)
Your NAS is vulnerable if the file (actually a symbolic link)
exists and points to the file
The directory
contains the QTS web admin application and anything under it can be accessed via the QTS web ports (8080, 443 by default).
Therefore,
can be accessed via the QTS web ports.
If you're been following the ongoing investigation in this thread, hbs_mgnt is the component that contains the hardcoded 'jisoosocoolhbsmgnt' session id backdoor that allows an HTTP client to bypass username/password authentication.
What the 16.0.0415 (and later) version of HBS does is:
- remove the symbolic link
- remove the directory and its contents
- no longer installs the above
Don't ask me more details as I will not provide any.
You can easily confirm I'm not making things up by comparing
before and after the update to HBS 16.0.0415 or later.
- A fix for a security hole
- Two fixes for command injection vulnerabilities
(as described in the HBS release notes)
Your NAS is vulnerable if the file (actually a symbolic link)
Code: Select all
/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
Code: Select all
/etc/config/qsync/home/mgnt_cgi/hbs_mgnt.py
Code: Select all
/home/httpd/cgi-bin
Therefore,
Code: Select all
/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
If you're been following the ongoing investigation in this thread, hbs_mgnt is the component that contains the hardcoded 'jisoosocoolhbsmgnt' session id backdoor that allows an HTTP client to bypass username/password authentication.
What the 16.0.0415 (and later) version of HBS does is:
- remove the symbolic link
Code: Select all
/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
Code: Select all
/etc/config/qsync/home/mgnt_cgi
Don't ask me more details as I will not provide any.
You can easily confirm I'm not making things up by comparing
Code: Select all
/home/httpd/cgi-bin/backup/hbs_mgnt.cgi
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Compliments on your analysis.
And many thanks for sharing.
And many thanks for sharing.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
- Ericnepean
- Know my way around
- Posts: 133
- Joined: Mon Jul 02, 2012 4:35 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
@Mousetick
Great analysis, thanks for sharing
I wonder what other surprises we might find in /home/httpd/cgi-bin
Great analysis, thanks for sharing
I wonder what other surprises we might find in /home/httpd/cgi-bin
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
This is the gateway to the NAS administration interface provided by the internal web server which runs with the highest system privileges. A successful exploit can in some cases give complete control of the machine. Security vulnerabilities were previously found (and fixed) there, more will undoubtedly be uncovered in the future.Ericnepean wrote: ↑Sun May 02, 2021 3:57 pm I wonder what other surprises we might find in /home/httpd/cgi-bin
A similar hole was found last year by security researchers, who built a proof of concept exploit opening a remote shell:
https://securingsam.com/new-vulnerabili ... -takeover/
They note they were basically ignored by QNAP. The hole was finally patched later by QNAP, however.
-
- First post
- Posts: 1
- Joined: Sun May 02, 2021 10:41 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I just discovered that the NAS I set up in a little office was compromised on the 21.4 (late to the party I guess)
The qnap was exposed to wan with a non-default port... lesson learned.
It took me this long to notice since the Network shares (that are used daily) weren't encrypted.
Only backups that are backed up off-site were encrypted, so as far as I can tell there should be no significant damage.
Time Machine did not recognize that the old backups were encrypted and just created new ones without prompting the users. (?!?)
I think I got very lucky since I randomly logged in to the NAS as it was encrypting and updated it. I also discovered in the logs that this update installed and ran the malware remover. So the attack was probably stopped while it was running.
I read through the previous posts but feel like I am in a weird position.
Is there a proper recovery process? The only 'safe' thing is probably to wipe/reset the NAS, but I can't get to where the NAS is deployed right now (covid) :-/.
I took all the steps that QNAP posted in their official response, but this thread seems to be miles ahead of what is communicated on official channels, so maybe you guys can help me out.
The qnap was exposed to wan with a non-default port... lesson learned.
It took me this long to notice since the Network shares (that are used daily) weren't encrypted.
Only backups that are backed up off-site were encrypted, so as far as I can tell there should be no significant damage.
Time Machine did not recognize that the old backups were encrypted and just created new ones without prompting the users. (?!?)
I think I got very lucky since I randomly logged in to the NAS as it was encrypting and updated it. I also discovered in the logs that this update installed and ran the malware remover. So the attack was probably stopped while it was running.
I read through the previous posts but feel like I am in a weird position.
Is there a proper recovery process? The only 'safe' thing is probably to wipe/reset the NAS, but I can't get to where the NAS is deployed right now (covid) :-/.
I took all the steps that QNAP posted in their official response, but this thread seems to be miles ahead of what is communicated on official channels, so maybe you guys can help me out.
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
In case you haven't seen it yet, there is an interesting "official" blog post from QNAP, conveniently located where no one can see it unless they look for it.
https://blog.qnap.com/nas-internet-connect-en/
It's interesting for 2 reasons:
- It acknowledges that QLocker exploited the security hole in HBS.
- It gives a lot of good advice to novice and non-technical users for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
This is all well and good, but it's way too late and should have been posted on QNAP's main site, preferably the home page. Even then, most users who see it might react with: TL;DR. QNAP has got it backwards: the device should be configured securely by default, and users should go out of their way to dangerously expose it - not the other way around.
Saved for posterity:
https://blog.qnap.com/nas-internet-connect-en/
It's interesting for 2 reasons:
- It acknowledges that QLocker exploited the security hole in HBS.
- It gives a lot of good advice to novice and non-technical users for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
This is all well and good, but it's way too late and should have been posted on QNAP's main site, preferably the home page. Even then, most users who see it might react with: TL;DR. QNAP has got it backwards: the device should be configured securely by default, and users should go out of their way to dangerously expose it - not the other way around.
Saved for posterity:
You do not have the required permissions to view the files attached to this post.
Last edited by Mousetick on Mon May 03, 2021 8:44 am, edited 1 time in total.
-
- Starting out
- Posts: 25
- Joined: Sat Jul 25, 2015 10:31 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app? More directly, will configuring the qufirewall as mentioned be an easy way to bulletproof our NAS's for those who don't need access off their local subnet? Thanks, N123
- OneCD
- Guru
- Posts: 12155
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Yes, a blog post with a large "Security News" graphic should have been put in the security news section of QNAP's site, which I check daily.Mousetick wrote: ↑Sun May 02, 2021 11:48 pm In case you haven't seen it yet, there is an interesting "official" blog post from QNAP, conveniently located where no one can see it unless they look for it.
https://blog.qnap.com/nas-internet-connect-en/
It's interesting for 2 reasons:
- It acknowledges that QLocker exploited the security hole in HBS.
- It gives a lot of good advice for securing QNAP NASes (except the bit about changing port numbers, that's bollocks).
That someone didn't think to do this is quite "QNAP", don't you think?
- Ericnepean
- Know my way around
- Posts: 133
- Joined: Mon Jul 02, 2012 4:35 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Don't use your NAS as a security appliance. Don't count on the QNAP firewall for ANYTHING, don't count on the QNAP box for any security related thing for which it has to be expsoed to the internet (like a VPN).NS123 wrote: ↑Mon May 03, 2021 1:54 am perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app? More directly, will configuring the qufirewall as mentioned be an easy way to bulletproof our NAS's for those who don't need access off their local subnet? Thanks, N123
This hack is worth millions. Those who were investigating Qlocker were able to watch some payments being made by watching the bitcoin wallets that they learned are being used for this exploit.
https://www.bleepingcomputer.com/news/s ... p-utility/
In the first 5 days, they saw $260,000 USD in payments being made. There were likely payments to other bitcoin wallets that they were unaware of.
Given this potential, the same gang is likely digging even further into the QNAP operating system to find more opportunities, and quite possibly their competitors are getting interested too.
You want to put your security features in something that ransomware developers isn't tied directly to QNAP. We all have a QNAP box. But some of us have Dlink routers, others Netgear, a few of us have Zyxel firewalls, others have pfSense. Undoubtly some ASUS, TPlink, Sonicwall and Linksys and probably a few that I missed.
Put your security in your firewall or router appliance. Perhaps get an even better router or firewall that will support VPNs. There's no 100% gaurantee of safety, but this will at at least make it more difficult for them.
Last edited by Ericnepean on Mon May 03, 2021 5:19 am, edited 1 time in total.
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
-
- First post
- Posts: 1
- Joined: Mon Dec 21, 2020 5:22 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
QNAPs answer is a joke. Just spent a lot of time to go through log files to find out that qnap disabled the sql server because of a weak password. No big warning that informs me of that nonsense.
HEY QNAP. We choose our passwords ourselves. When we use weak password then because we are in a protected network and don't need strong passwords. Don't try to educate us. Spent your time working on better quality software and not disabling services on my NAS because you can.
HEY QNAP. We choose our passwords ourselves. When we use weak password then because we are in a protected network and don't need strong passwords. Don't try to educate us. Spent your time working on better quality software and not disabling services on my NAS because you can.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Probably but it's far, far better to never expose the system so that you will have to rely on the Qnap firewall as your last line of defence. It's like keeping the front door wide open but standing inside yourself to stop everyone that want to walk in. It's easier and better to simply close and lock the front door.NS123 wrote: ↑Mon May 03, 2021 1:54 am perhaps a silly question but maybe one of you who knows much more than I can answer this question: would configuring qufirewall to the "include subnets only" option (which is fine for my use case) have prevented this problem for me even if I had an unpatched HBS app?
You should stop traffic already in your router/firewall, using the QuFirewall in the Qnap is then optional.
If you expose your Qnap on the internet, these steps should pu an end to that:
- Never ever use the so called DMZ feature for the Qnap.
- Remove any manual port forwarding done in the router/firewall that points at the Qnap.
- Go to the myQNAPcloud app in the web administration, click Auto Router Configuration and then disable UPnP port forwarding.
- If possible, disable UPnP port forwarding in your router/firewall as well.
- Reboot the router/firewall.
Last edited by P3R on Mon May 03, 2021 8:27 am, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!