Please read more than than just the latest posts so that you understand the context before posting. infotecmb haven't been infected by the ransomware and he's not trying to disinfect his system. He's comparing different versions of HBS trying to find the vulnerability.Moogle Stiltzkin wrote: ↑Fri Apr 30, 2021 12:22 pm at this point shouldn't he just reinitialize and follow through with malware removal? and fix whatever is exposing the nas in the first place when there may be a vulnerability floating around currently.
[RANSOMWARE] Qlocker
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- Ericnepean
- Know my way around
- Posts: 133
- Joined: Mon Jul 02, 2012 4:35 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
When I want an isolated LAN my usual practice is to remove the ethernet cable from the WAN port of the router. Simple and effective.infotecmb wrote: ↑Fri Apr 30, 2021 5:33 amConnect your QNAP not to the LAN, but directly to the computer. In the case of LAN connection, it could find the way to the Internet through UPnP protocol.Ericnepean wrote: ↑Fri Apr 30, 2021 3:56 am My TS251A is currently powered off, fortunately has been powered off for a month. My decsion is to power it on again on some LAN not connected to the internet, and pull off all the files. Re-purpose the TR409 as a DAS on my older Mac Mini, and eBay TS251A
Q: How do you know if your QNAP NAS has a vulnerability?
A: When it's powered on.
Ransomware has happened and is always possible on a Mac, but as the article quaoted says "There have been a handful of Mac ransomware examples identified by security researchers to date, but not one has led to serious outbreaks"infotecmb wrote: ↑Fri Apr 30, 2021 5:33 am You can replace TS251A QTS with Debian Linux running on it as primary OS ( see viewtopic.php?f=147&t=145907 ) and forget about QLocker, AgeLocker and eCh0raix, but in this case, you could not blame QNAP when Debian Linux got something like RotaJakiro.
Read https://www.macworld.co.uk/how-to/ransomware-3659100/ to be prepared for ransomware on Mac.
Q: how to store my data safely?
A: Start by using systems which typically have few vulnerabilities. Backup your data regularly, Disconnect a backup drive immediately after backup (e.g. use a drive dock).
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
- Ericnepean
- Know my way around
- Posts: 133
- Joined: Mon Jul 02, 2012 4:35 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Thanks for the useful advice and perspective. One question:P3R wrote: ↑Fri Apr 30, 2021 7:43 amThe huge risk is having your NAS exposed on and reachable from the internet. Having the NAS connected to a local network that have outbound internet access is an extemely low risk in comparison.Ericnepean wrote: ↑Fri Apr 30, 2021 3:56 am My decsion is to power it on again on some LAN not connected to the internet...
Even most of us that are loudly complaining about the security in Qnaps here have our NASes active in our local networks. I'm not in any way more worried about my Qnaps catching a malware now than I was a week before Qlocker hit or before Qsnatch. It's secure enough for almost all users to use in a local network, as long as it isn't directly reachable from the internet.
The reason that we complain about Qnap is that we feel sorry for the less experienced users that have been listening to and followed the Qnap marketing message of having "your personal cloud" and "your files reachable from anywhere" as that was and is a high risk exposure and most of us recommend to stop exposing the NAS. Unfortunately this ransomware once again proved that we have been right when sending that message.
There are only a few steps required to stop exposing your Qnap on the internet:
- Remove any manual port forwarding done in the router/firewall that points at the Qnap.
- Go to the myQNAPcloud app in the web administration, click Auto Router Configuration and then disable UPnP port forwarding.
- If possible, disable UPnP port forwarding in your router/firewall as well.
- Reboot the router/firewall.
I have a firewall/router appliance which I maintain with some care; I do not use my NAS as a router.
I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.
TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|
Considering my configuration and that I execute items 1 and 3, what is the point in item 2?
(I'd rather not use web configuration at all)
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
oo ic.P3R wrote: ↑Fri Apr 30, 2021 3:14 pmPlease read more than than just the latest posts so that you understand the context before posting. infotecmb haven't been infected by the ransomware and he's not trying to disinfect his system. He's comparing different versions of HBS trying to find the vulnerability.Moogle Stiltzkin wrote: ↑Fri Apr 30, 2021 12:22 pm at this point shouldn't he just reinitialize and follow through with malware removal? and fix whatever is exposing the nas in the first place when there may be a vulnerability floating around currently.
well didn't they recently release a hbs update? i thought that was the fix
i thought they were even gonna update hbs for some of the older models, although i haven't checked to confirm yet.
Last edited by Moogle Stiltzkin on Fri Apr 30, 2021 3:43 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I wouldn't really worry about any of the Qnap features as long as it's used only locally or protected by a remote access or site-to-site VPN.
I still use QTS with HBS, that is said to have at least one of the vulnerabilities, locally and to a remote site but none of that is reachable from the internet. It's when you expose system directly on the internet, that the risks increase several thousand per cent.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- New here
- Posts: 2
- Joined: Fri Apr 30, 2021 3:50 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Is it also a problem if just the VPN port ist forwarded to the QNAP? E.g. using QVPN (OpenVPN)? I think a lot of people might use it...I wouldn't really worry about any of the Qnap features as long as it's used only locally or protected by a remote access or site-to-site VPN.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I'm not sure I understand.Ericnepean wrote: ↑Fri Apr 30, 2021 3:39 pm I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.
If you think that by "web administration" I meant something out on internet, that's not the case. I was only referring to that the normal admin gui interface of the Qnap is using the "web" protocols http/https. You know the one accessed from a web browser by going to http://your_Qnap_IP_address:8080 (unless you have changed the default port of 8080). Despite http/https It's still only local access within your network. I'm sorry for not being more specific.
Currently I would be more worried about the USG in that setup than a Qnap used only locally. Zyxel is producing equipment intended to protect your whole local network but was recently caught with having the whole arm down the cookie jar. On the subject of hardcoced credentials, this one is affecting your appliance...TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|
Disabling UPnP also in the Qnap make you more secure in case that you one day replace the Zyxel with something that happen to have UPnP enabled. Say that the Zyxel fail and that you throw in another router while waiting for the new router/firewall that you have on order. Or that you happen to have a router/firewall that still do UPnP despite that you disabled it! If I'm not wrong Ubiquity had such an awful bug...Considering my configuration and that I execute items 1 and 3, what is the point in item 2?
The last rebooting the router/firewall removes any still active port forwards despite having disabled UPnP.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Very good question! That's a tough one. I probably should have added that the only Qnap feature that can be allowed internet exposure is QVPN, if that's the only possible way.krambambuli wrote: ↑Fri Apr 30, 2021 3:55 pm Is it also a problem if just the VPN port ist forwarded to the QNAP? E.g. using QVPN (OpenVPN)? I think a lot of people might use it...
Personally I'm not comfortable with using QVPN. To begin with a remote access VPN is best implemented in the internet-facing router/firewall so that's my standard recommendation. I use pfSense myself. Some people use a Raspberry Pi or other dedicated VPN-gateway behind the router and I would prefer that over QVPN as well.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- New here
- Posts: 2
- Joined: Fri Apr 30, 2021 3:50 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Thank you for the answer! I deactivated QVPN today. But it annoys me a bit, because things have been great with the service so far and now I have to deal with this "big" issue all over again. I will probably become paranoid regarding qnap and the applicationsP3R wrote: ↑Fri Apr 30, 2021 4:44 pm Personally I'm not comfortable with using QVPN. To begin with a remote access VPN is best implemented in the internet-facing router/firewall so that's my standard recommendation. I use pfSense myself. Some people use a Raspberry Pi or other dedicated VPN-gateway behind the router and I would prefer that over QVPN as well.
-
- New here
- Posts: 6
- Joined: Wed Apr 28, 2021 9:00 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I just noticed that, at least from the UI, there is not a feasible way to REALLY and totally disable the default admin user.
While I had admin disabled and had another administrator user active I still saw the user admin doing stuff. I only noticed when I had to reenable the admin user to be able to connect using ssh to do the photorec method and by chance decided to look at the logs and apart from warnings of people trying to acces by that user, wich allways failed, admin still ran diferent things underneath.
While I had admin disabled and had another administrator user active I still saw the user admin doing stuff. I only noticed when I had to reenable the admin user to be able to connect using ssh to do the photorec method and by chance decided to look at the logs and apart from warnings of people trying to acces by that user, wich allways failed, admin still ran diferent things underneath.
- Ericnepean
- Know my way around
- Posts: 133
- Joined: Mon Jul 02, 2012 4:35 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I understand you now, thanks. (Zyxel has a scheme to administer mutiple routers via a cloud service)P3R wrote: ↑Fri Apr 30, 2021 4:32 pmI'm not sure I understand.Ericnepean wrote: ↑Fri Apr 30, 2021 3:39 pm I don't use web configuration of anything. Not my NAS, and not my router. Configuration is done from the admin account of my main computer.
If you think that by "web administration" I meant something out on internet, that's not the case. I was only referring to that the normal admin gui interface of the Qnap is using the "web" protocols http/https. You know the one accessed from a web browser by going to http://your_Qnap_IP_address:8080 (unless you have changed the default port of 8080). Despite http/https It's still only local access within your network. I'm sorry for not being more specific.
Not anymore , Zyxel fixed that problem a few weeks later with release 4.60, my appliance is now at 4.62. They do update their firmware at least twice a year, mostly bug and security fixes, and are pretty quick with an additional update after a vulnerability is found. (which is not as good as not having dumb-a** vulnerabilities). And I'm pretty quick in applying them.P3R wrote: ↑Fri Apr 30, 2021 4:32 pmCurrently I would be more worried about the USG in that setup than a Qnap used only locally. Zyxel is producing equipment intended to protect your whole local network but was recently caught with having the whole arm down the cookie jar. On the subject of hardcoced credentials, this one is affecting your appliance...TS251A:----|GST108: ---: USG40W: -- :Modem:---:WAN
iMac:--------|
Zyxel's record is not clean, but which manufacturer of consumer routers has a significantly better record? Dlink and Netgear are definitely worse, and Cisco/Linksys support of consumer routers has been poor. (I have tried all three)
It's certainly possible for Zyxel to have a similar bug. Probabaly not this bug, as there are others in the Zyxel user community that would have checked and reported this after the Ubiquiti affair.P3R wrote:Disabling UPnP also in the Qnap make you more secure in case that you one day replace the Zyxel with something that happen to have UPnP enabled. Say that the Zyxel fail and that you throw in another router while waiting for the new router/firewall that you have on order. Or that you happen to have a router/firewall that still do UPnP despite that you disabled it! If I'm not wrong Ubiquity had such an awful bug...Ericnepean wrote: ↑Fri Apr 30, 2021 3:39 pmConsidering my configuration and that I execute items 1 and 3, what is the point in item 2?
My QNAP is the end of it's ethernet branch, it's not serving as a router for traffic to other devices (and never will).
It is possible that I might by accident or necessity connect it to anothet router.
Does the QNAP router firewall then also work on traffic to itself even if there is no "thru traffic"? That is a possibility that I had not considered.
Good point.
Eric in Ottawa, Canada
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
TS-251A with 2x 6TB Seagate IronWolf in RAID 1
TR-004 with 4x 4TB HGST in RAID 5
DS923+ with 4x10GB WD Red in RAID 5
-
- Starting out
- Posts: 29
- Joined: Wed Apr 27, 2011 9:13 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Anyone know if disabling Recommended and Latest Versions in the latest firmware under the auto update tab will now disable the auto-update?
It is not clear at all what happens here.
It is not clear at all what happens here.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I don't have a good answer, which is part of the reason that I moved on to real firewalls long ago. I currently run pfSense.Ericnepean wrote: ↑Fri Apr 30, 2021 9:41 pm Zyxel's record is not clean, but which manufacturer of consumer routers has a significantly better record?
Regardless, it's definitely best practice to immediately disable it unless you absolutely need to have it enabled. It's very bad that Qnap have (or at least had) it on by default.It is possible that I might by accident or necessity connect it to anothet router.
Absolutely, it's only to protect itself that is the intention for it as far as I can tell. I'm not very impressed by it. I have it enabled as I wanted to see how it worked but I'm not sure I will keep it on or enable it if installing any new units. It's pretty limited and doesn't have any detailed logging of what have been stopped (unless enabling a packet trace). Saying that X number of packets have been stopped in a fancy gui and then not being able to tell why and what have been stopped (not even source address and protocol used) is useless fluff that only marketing people could like. The disclaimer is that logging could be present but the user interface is so badly written that I couldn't find it despite looking for it.Does the QNAP router firewall then also work on traffic to itself even if there is no "thru traffic"?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Easy as a breeze
- Posts: 413
- Joined: Sun Oct 20, 2013 11:45 pm
- Location: Premnitz, Germany
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Geo restrictions didn't work for me, when I tested it, but the new version can block based on dyndns. I requested it some time ago and they seem to have added it. Using this you could limit the access to specific IPs/Nets you trust.
If the QFirewall is blocking an attack properly is an other question ....
NAS (production): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
NAS (backup): TS-1635AX FW: QTS 5.1.4.2596 build 20231128
QTS (SSD): [RAID-1] 2 x 2TB Samsung Evo 860 M.2-Sata
Data (QTier): [RAID-6] 4 x 4TB Samsung 870 QVO Sata
Data (HDD): [RAID-6] 7 x 18TB Exos
RAM: 8 GB (QNAP shipped)
UPS: CyberPower CP900EPFCLCD
BACKUP: 10x4TB WD Red using a USB 3.0 Dock
Usage: SMB with rclone (encrypted)
NAS: TS-873U-RP FW: QTS 5.1.4.2596 build 20231128
Data (SSD): [RAID-10] 4 x 1TB Samsung Evo 860 Sata
RAM: 8 GB (QNAP shipped)
UPS: CyberPower PR2200ELCDRT2U
BACKUP: 4TB Synology DS214 FW: DSM 7.0.41890
Usage: SMB, Backup Domain Controller
-
- New here
- Posts: 8
- Joined: Mon Jan 28, 2019 7:01 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I was semi lucky, I heard the qnap over working it self and powered it down, before i went to sleep when it hit, it got half a 4gb folder, lucky it was that the recovery of just this is taking a long time via ssh and I cant imagine what it would of been like if it had zipped up the other 20gb as well yes i probably may have got password, but then in email from qnap it told me to update next day which would of got rid of the password, then they changed their minds and said dont shut down.... WTF you told me to firmware update.... you do know that causes a restart... so I am glad i did shut down, recovering 2 gigs is going to take a lot less time that 24gb.