[RANSOMWARE] Qlocker

[P3R]

at this point shouldn't he just reinitialize and follow through with malware removal? and fix whatever is exposing the nas in the first place when there may be a vulnerability floating around currently.

Please read more than than just the latest posts so that you understand the context before posting. infotecmb haven't been infected by the ransomware and he's not trying to disinfect his system. He's comparing different versions of HBS trying to find the vulnerability.

[Ericnepean]

My TS251A is currently powered off, fortunately has been powered off for a month. My decsion is to power it on again on some LAN not connected to the internet, and pull off all the files. Re-purpose the TR409 as a DAS on my older Mac Mini, and eBay TS251A

Q: How do you know if your QNAP NAS has a vulnerability?
A: When it's powered on.

Connect your QNAP not to the LAN, but directly to the computer. In the case of LAN connection, it could find the way to the Internet through UPnP protocol.

When I want an isolated LAN my usual practice is to remove the ethernet cable from the WAN port of the router. Simple and effective.

You can replace TS251A QTS with Debian Linux running on it as primary OS ( see viewtopic.php?f=147&t=145907 ) and forget about QLocker, AgeLocker and eCh0raix, but in this case, you could not blame QNAP when Debian Linux got something like RotaJakiro.

Read https://www.macworld.co.uk/how-to/ransomware-3659100/ to be prepared for ransomware on Mac.

Ransomware has happened and is always possible on a Mac, but as the article quaoted says "There have been a handful of Mac ransomware examples identified by security researchers to date, but not one has led to serious outbreaks"

Q: how to store my data safely?
A: disconnect all cables and put your NAS in the fire-resistant vault within a secure perimeter.

Everything could be hacked nowadays

Q: how to store my data safely?
A: Start by using systems which typically have few vulnerabilities. Backup your data regularly, Disconnect a backup drive immediately after backup (e.g. use a drive dock).

[Ericnepean]

My decsion is to power it on again on some LAN not connected to the internet...

The huge risk is having your NAS exposed on and reachable from the internet. Having the NAS connected to a local network that have outbound internet access is an extemely low risk in comparison.

Even most of us that are loudly complaining about the security in Qnaps here have our NASes active in our local networks. I'm not in any way more worried about my Qnaps catching a malware now than I was a week before Qlocker hit or before Qsnatch. It's secure enough for almost all users to use in a local network, as long as it isn't directly reachable from the internet.

The reason that we complain about Qnap is that we feel sorry for the less experienced users that have been listening to and followed the Qnap marketing message of having "your personal cloud" and "your files reachable from anywhere" as that was and is a high risk exposure and most of us recommend to stop exposing the NAS. Unfortunately this ransomware once again proved that we have been right when sending that message.

There are only a few steps required to stop exposing your Qnap on the internet:

1. Remove any manual port forwarding done in the router/firewall that points at the Qnap.
2. Go to the myQNAPcloud app in the web administration, click Auto Router Configuration and then disable UPnP port forwarding.
3. If possible, disable UPnP port forwarding in your router/firewall as well.
4. Reboot the router/firewall.

Thanks for the useful advice and perspective. One question:

I have a firewall/router appliance which I maintain with some care; I do not use my NAS as a router.
I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.

TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|

Considering my configuration and that I execute items 1 and 3, what is the point in item 2?
(I'd rather not use web configuration at all)

[Moogle Stiltzkin]

at this point shouldn't he just reinitialize and follow through with malware removal? and fix whatever is exposing the nas in the first place when there may be a vulnerability floating around currently.

Please read more than than just the latest posts so that you understand the context before posting. infotecmb haven't been infected by the ransomware and he's not trying to disinfect his system. He's comparing different versions of HBS trying to find the vulnerability.

oo ic.

well didn't they recently release a hbs update? i thought that was the fix

i thought they were even gonna update hbs for some of the older models, although i haven't checked to confirm yet.

[P3R]

I would like to use QsyncPro (locally) if it is considered by the brains-trust to be safe enough.

I wouldn't really worry about any of the Qnap features as long as it's used only locally or protected by a remote access or site-to-site VPN.

I still use QTS with HBS, that is said to have at least one of the vulnerabilities, locally and to a remote site but none of that is reachable from the internet. It's when you expose system directly on the internet, that the risks increase several thousand per cent.

[krambambuli]

I wouldn't really worry about any of the Qnap features as long as it's used only locally or protected by a remote access or site-to-site VPN.

Is it also a problem if just the VPN port ist forwarded to the QNAP? E.g. using QVPN (OpenVPN)? I think a lot of people might use it...

[P3R]

I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.

I'm not sure I understand.

If you think that by "web administration" I meant something out on internet, that's not the case. I was only referring to that the normal admin gui interface of the Qnap is using the "web" protocols http/https. You know the one accessed from a web browser by going to http://your_Qnap_IP_address:8080 (unless you have changed the default port of 8080). Despite http/https It's still only local access within your network. I'm sorry for not being more specific.

TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|

Currently I would be more worried about the USG in that setup than a Qnap used only locally. Zyxel is producing equipment intended to protect your whole local network but was recently caught with having the whole arm down the cookie jar. On the subject of hardcoced credentials, this one is affecting your appliance...

Considering my configuration and that I execute items 1 and 3, what is the point in item 2?

Disabling UPnP also in the Qnap make you more secure in case that you one day replace the Zyxel with something that happen to have UPnP enabled. Say that the Zyxel fail and that you throw in another router while waiting for the new router/firewall that you have on order. Or that you happen to have a router/firewall that still do UPnP despite that you disabled it! If I'm not wrong Ubiquity had such an awful bug...

The last rebooting the router/firewall removes any still active port forwards despite having disabled UPnP.

[P3R]

Is it also a problem if just the VPN port ist forwarded to the QNAP? E.g. using QVPN (OpenVPN)? I think a lot of people might use it...

Very good question! That's a tough one. I probably should have added that the only Qnap feature that can be allowed internet exposure is QVPN, if that's the only possible way.

Personally I'm not comfortable with using QVPN. To begin with a remote access VPN is best implemented in the internet-facing router/firewall so that's my standard recommendation. I use pfSense myself. Some people use a Raspberry Pi or other dedicated VPN-gateway behind the router and I would prefer that over QVPN as well.

[krambambuli]

Personally I'm not comfortable with using QVPN. To begin with a remote access VPN is best implemented in the internet-facing router/firewall so that's my standard recommendation. I use pfSense myself. Some people use a Raspberry Pi or other dedicated VPN-gateway behind the router and I would prefer that over QVPN as well.

Thank you for the answer! I deactivated QVPN today. But it annoys me a bit, because things have been great with the service so far and now I have to deal with this "big" issue all over again. I will probably become paranoid regarding qnap and the applications

[agarceran]

I just noticed that, at least from the UI, there is not a feasible way to REALLY and totally disable the default admin user.
While I had admin disabled and had another administrator user active I still saw the user admin doing stuff. I only noticed when I had to reenable the admin user to be able to connect using ssh to do the photorec method and by chance decided to look at the logs and apart from warnings of people trying to acces by that user, wich allways failed, admin still ran diferent things underneath.

[Ericnepean]

I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.

I'm not sure I understand.

If you think that by "web administration" I meant something out on internet, that's not the case. I was only referring to that the normal admin gui interface of the Qnap is using the "web" protocols http/https. You know the one accessed from a web browser by going to http://your_Qnap_IP_address:8080 (unless you have changed the default port of 8080). Despite http/https It's still only local access within your network. I'm sorry for not being more specific.

I understand you now, thanks. (Zyxel has a scheme to administer mutiple routers via a cloud service)

TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|

Currently I would be more worried about the USG in that setup than a Qnap used only locally. Zyxel is producing equipment intended to protect your whole local network but was recently caught with having the whole arm down the cookie jar. On the subject of hardcoced credentials, this one is affecting your appliance...

Not anymore , Zyxel fixed that problem a few weeks later with release 4.60, my appliance is now at 4.62. They do update their firmware at least twice a year, mostly bug and security fixes, and are pretty quick with an additional update after a vulnerability is found. (which is not as good as not having dumb-a** vulnerabilities). And I'm pretty quick in applying them.

Zyxel's record is not clean, but which manufacturer of consumer routers has a significantly better record? Dlink and Netgear are definitely worse, and Cisco/Linksys support of consumer routers has been poor. (I have tried all three)

Considering my configuration and that I execute items 1 and 3, what is the point in item 2?

Disabling UPnP also in the Qnap make you more secure in case that you one day replace the Zyxel with something that happen to have UPnP enabled. Say that the Zyxel fail and that you throw in another router while waiting for the new router/firewall that you have on order. Or that you happen to have a router/firewall that still do UPnP despite that you disabled it! If I'm not wrong Ubiquity had such an awful bug...

It's certainly possible for Zyxel to have a similar bug. Probabaly not this bug, as there are others in the Zyxel user community that would have checked and reported this after the Ubiquiti affair.
My QNAP is the end of it's ethernet branch, it's not serving as a router for traffic to other devices (and never will).
It is possible that I might by accident or necessity connect it to anothet router.
Does the QNAP router firewall then also work on traffic to itself even if there is no "thru traffic"? That is a possibility that I had not considered.

The last rebooting the router/firewall removes any still active port forwards despite having disabled UPnP.

Good point.

[dmccormack]

Anyone know if disabling Recommended and Latest Versions in the latest firmware under the auto update tab will now disable the auto-update?
It is not clear at all what happens here.

[P3R]

Zyxel's record is not clean, but which manufacturer of consumer routers has a significantly better record?

I don't have a good answer, which is part of the reason that I moved on to real firewalls long ago. I currently run pfSense.

It is possible that I might by accident or necessity connect it to anothet router.

Regardless, it's definitely best practice to immediately disable it unless you absolutely need to have it enabled. It's very bad that Qnap have (or at least had) it on by default.

Does the QNAP router firewall then also work on traffic to itself even if there is no "thru traffic"?

Absolutely, it's only to protect itself that is the intention for it as far as I can tell. I'm not very impressed by it. I have it enabled as I wanted to see how it worked but I'm not sure I will keep it on or enable it if installing any new units. It's pretty limited and doesn't have any detailed logging of what have been stopped (unless enabling a packet trace). Saying that X number of packets have been stopped in a fancy gui and then not being able to tell why and what have been stopped (not even source address and protocol used) is useless fluff that only marketing people could like. The disclaimer is that logging could be present but the user interface is so badly written that I couldn't find it despite looking for it.

[holger_kuehn]

I have a qnap firewall activated and have the geo restrictions activated. Only trafic from my country is accepted. Does anyone know if the geo restrictions in firewall blocks this kind of attack (if it is not coming from the same coutry where I am)?

Geo restrictions didn't work for me, when I tested it, but the new version can block based on dyndns. I requested it some time ago and they seem to have added it. Using this you could limit the access to specific IPs/Nets you trust.

If the QFirewall is blocking an attack properly is an other question ....

[Rchiil]

I was semi lucky, I heard the qnap over working it self and powered it down, before i went to sleep when it hit, it got half a 4gb folder, lucky it was that the recovery of just this is taking a long time via ssh and I cant imagine what it would of been like if it had zipped up the other 20gb as well yes i probably may have got password, but then in email from qnap it told me to update next day which would of got rid of the password, then they changed their minds and said dont shut down.... WTF you told me to firmware update.... you do know that causes a restart... so I am glad i did shut down, recovering 2 gigs is going to take a lot less time that 24gb.