[RANSOMWARE] Qlocker

[jaysona]

I would be laughing if this wasn't so utterly, utterly basic.

Basic? Nah man, this is beyond basic. If this is not outright incompetence, then I would postulate that this has the makings of criminal intent, or at the very least, some sort of nefarious intent.

[jaysona]

Go to your QNAP and issue the following command (you can also download attached output):

Wow, but wow!
I did that - it's absolutely horrific.

I'm almost speechless about how shoddy and unprofessional this code is.
It's also packed with rubbish that shouldn't just have been removed but should never have been there in the first place.

+1

My prior confidence in QNAP has now taken a big dive.

My confidence in QNAP in terms of security and knowing wtf they are doing went out the door after their responses back in 2019 to malware attacks against their NASes.

Then QNAP makes comments such as this:
https://techmonitor.ai/techonology/cybe ... are-rising

[tremountakis]

I think in this attack is involucated somebody from inside qnap , some knows the code and the private clouds .

[Barboots]

I'm just on page 13 and reading furiously, but to assist others, can I suggest that the first post contains a note along the lines of "leave NAS running, disconnect internet".

The first thing I did on opening the thread was to turn the f'n thing off

[marklyn]

I'm being prompted to upgrade to QTS 4.5.3.1652 Build 20210428 but I have mixed feelings about it.
I'd almost be ok with the auto updating of apps but the automatic updating of the QNAP firmware really concerns me.
I don't want my NAS updating without me doing it myself.
I've had issues in the past where an update didn't work or was problematic and required support's assistance.
I'd much rather receive urgent emails detailing critical updates, even with a countdown in number of days before it happens automatically, would be a better option in my opinion.
Again, I want to be in control of apps and firmware updates!
Anyone else having 2nd thoughts about this?
Here is the writeup:
https://www.qnap.com/en/release-notes/q ... as_product

[dmccormack]

Yeah, same here, I am hoping that unchecking the 2 check boxes under the auto update tab prevents this from happening. But the text is as clear as mud, so no way of knowing what happens when you do this. And of course there is no documentation on this tab when you open the help

[QNAPDanielFL]

I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

I wouldn't at this point rule out the RTRR-port as a separate attack vector.

Nobody outside QNAP can know for sure so I'd suggest you contact them and demand a straight answer from them.

I wouldn't mind if my best guess were proven wrong. Please share your confirmation once you have received it. Thanks

I asked about this question. But it is hard to give a 100% answer to every port a hacker might use to infect a QNAP with Qlocker. When I talked with the security team, the person I talked to said in his experience when dealing with someone who had Qlocker, port 443 or 8080 were forwarded. It seems like those are most likely the ports used. But I was also told he was not 100% sure there could not be another port that could be used. But the evidence we see seems to suggest 443 and 8080.

[infotecmb]

New Security Advisory from QNAP:

Code: Select all

AgeLocker Ransomware

    Release date: April 29, 2021
    Security ID: QSA-21-15
    Severity: High
    Affected products: All QNAP NAS
    Status: Investigating

Revision History: V1.0 (April 29, 2021) - Published    

Do they misprint the name "AgeLocker" instead "Qlocker"? According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:

Code: Select all

AgeLocker Ransomware

    Release date: September 25, 2020
    Security ID: QSA-20-06
    Severity: High
    CVE identifier: N/A
    Affected products: QNAP NAS devices
    Status: Resolved

Revision History: V1.0 (September 25, 2020) - Published

Or we have multiple ransomware attacks against QNAP with unknown vectors at this moment?

At least eCh0raix ransomware is active now. You would be surprised to find the topic https://www.bleepingcomputer.com/forums ... 20ech0raix

So, QNAP currently investigating "AgeLocker Ransomware" (previously was declared as resolved), but Qlocker and eCh0raix have no "Investigating" status, users just pay the ransom.

[QNAPDanielFL]

Daniel,

for a typical end user there is not much to show how this all vpn stuff works. There is a guide to set up your NAS(es) as VPN servers or clients with QVPN. There is a guide of sorts on using HBS. So maybe you have all six cans, but it is missing the plastic thingy that holds them all together. A guide for end user showing how to get them to work together and what needs to be enabled/disabled might be a good start.

Regards

"A guide for end user showing how to get them to work together"
This might be easier than you expect. If one NAS is a VPN server using QVPN and the other NAS is a VPN client, or if you use a sight to sight VPN, then it is as if both NAS were in the same LAN, for the purposes of setting an HBS3 backup.

You can use a local IP address for HBS3 just like you could if both NAS were right next to each other. Setup can be the same as HBS3 to another NAS the same office as the first NAS.

You can use the subnet that the VPN server assigns. But you can also use the normal IP of the destination NAS. To use the VPN subnet, someone posted about that,

viewtopic.php?t=154541#p752206

[okenny]

I started a NAS which hasn't been switched on or patched since November 2020 (It's for backups). I tried walter/walter and admin/walter for the GUI, SSH, Telnet, Rsync, samba and a few other things. It did not work for anything.
So, what is this excitement about? (honestly curious)

[jaysona]

I started a NAS which hasn't been switched on or patched since November 2020 (It's for backups). I tried walter/walter and admin/walter for the GUI, SSH, Telnet, Rsync, samba and a few other things. It did not work for anything.
So, what is this excitement about? (honestly curious)

You're kidding right?

Re-read the post, it is pretty self-explanatory.

viewtopic.php?f=45&t=160849&start=450#p788325

[dolbyman]

it would be important in what section of the code these hardcoded credentials are ... were they active ? .. commented out ?

You would have to check the code for that and not just a "grep" for the specific line as in the large txt file provided.

All the code garbage in that provided txt file seems like a dogs dinner .. i have never seen such horrendous code... (tons of links, test, etc) wonder if they had their Christmas wish and Shopping lists in there too

[okenny]

I started a NAS which hasn't been switched on or patched since November 2020 (It's for backups). I tried walter/walter and admin/walter for the GUI, SSH, Telnet, Rsync, samba and a few other things. It did not work for anything.
So, what is this excitement about? (honestly curious)

You're kidding right?

Re-read the post, it is pretty self-explanatory.

viewtopic.php?f=45&t=160849&start=450#p788325

So, I read the post again. Sorry if I am slow and behind the curve here.....I understand that some text files have this "walter" pw etc... in them, but if the password does not work maybe it's just a case of sloppy clean up of old code and it was not deleted? Either you can gain access to the nas with the password, or you cannot? Has anyone actually been able to access the nas with this info?

[dolbyman]

see my reply

[Mousetick]

it would be important in what section of the code these hardcoded credentials are ... were they active ? .. commented out ?

As far as I can see, they're all either in comments for documentation purpose or in (unused/inactive) tests for debugging purpose.