[RANSOMWARE] Qlocker

[QNAPDanielFL]

New Security Advisory from QNAP:

Code: Select all

AgeLocker Ransomware

    Release date: April 29, 2021
    Security ID: QSA-21-15
    Severity: High
    Affected products: All QNAP NAS
    Status: Investigating

Revision History: V1.0 (April 29, 2021) - Published    

Do they misprint the name "AgeLocker" instead "Qlocker"? According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:

Code: Select all

AgeLocker Ransomware

    Release date: September 25, 2020
    Security ID: QSA-20-06
    Severity: High
    CVE identifier: N/A
    Affected products: QNAP NAS devices
    Status: Resolved

Revision History: V1.0 (September 25, 2020) - Published

Or we have multiple ransomware attacks against QNAP with unknown vectors at this moment?

At least eCh0raix ransomware is active now. You would be surprised to find the topic https://www.bleepingcomputer.com/forums ... 20ech0raix

So, QNAP currently investigating "AgeLocker Ransomware" (previously was declared as resolved), but Qlocker and eCh0raix have no "Investigating" status, users just pay the ransom.

"According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:"

This was patched last year. We just found someone with this malware. But we also found that person had old firmware. So we are investigating to see if this was infected through the old attack vector that was patched in 2020 or if there is a new attack vector. We intend to update the security advisory when we know more.

[Skwor]

New Security Advisory from QNAP:

Code: Select all

AgeLocker Ransomware

    Release date: April 29, 2021
    Security ID: QSA-21-15
    Severity: High
    Affected products: All QNAP NAS
    Status: Investigating

Revision History: V1.0 (April 29, 2021) - Published    

Do they misprint the name "AgeLocker" instead "Qlocker"? According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:

Code: Select all

AgeLocker Ransomware

    Release date: September 25, 2020
    Security ID: QSA-20-06
    Severity: High
    CVE identifier: N/A
    Affected products: QNAP NAS devices
    Status: Resolved

Revision History: V1.0 (September 25, 2020) - Published

Or we have multiple ransomware attacks against QNAP with unknown vectors at this moment?

At least eCh0raix ransomware is active now. You would be surprised to find the topic https://www.bleepingcomputer.com/forums ... 20ech0raix

So, QNAP currently investigating "AgeLocker Ransomware" (previously was declared as resolved), but Qlocker and eCh0raix have no "Investigating" status, users just pay the ransom.

"According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:"

This was patched last year. We just found someone with this malware. But we also found that person had old firmware. So we are investigating to see if this was infected through the old attack vector that was patched in 2020 or if there is a new attack vector. We intend to update the security advisory when we know more.

This is a good communication, thank you. It would have been even better to have stated something similar in that security bulletin. I see no reason to hide such information, it does not compromise the investigation.

[Mousetick]

I think the whole 'walter' thing may be a red herring. If you still have access to the vulnerable version of HBS, or to the files that were recently quarantined by Malware Remover, you may want to search for the word 'backdoor' instead, and you may find something.

I did find an actual authentication bypass, which I believe is the real thing, but I only have access to old Python files from a couple years ago (from the time I uninstalled HBS from my NAS) and I can't confirm if this backdoor was still present in recent versions.

Code: Select all

grep -r backdoor

[dolbyman]

My comment was merely about the word chaos in the code... pretty sure that in modern times dev teams do not write tons of annotations and comments into the actual code, they would use external dev tools / version trackers for this. (I have seen people use Jira/Atlassian)

But I am not a software dev .. so I could be wrong.

[infotecmb]

I asked about this question. When I talked with the security team...

QNAPDanielFL, do you know who is responsible for crisis management at QNAP?

The current situation reminds me of the Chernobyl disaster. A nuclear accident occurred on Saturday 26 April 1986.
Shortly after the accident, at 01:45, firefighters arrived to try to extinguish the fires the same way as QNAP security team playing with Malware Remover tool.

In the morning of 28 April, radiation levels set off alarms at the Forsmark Nuclear Power Plant in Sweden, over 1,000 kilometres (620 mi) from the Chernobyl Plant. That day, the Swedish government contacted the Soviet government to inquire about whether there had been a nuclear accident in the Soviet Union. The Soviets initially denied it, and it was only after the Swedish government suggested they were about to file an official alert with the International Atomic Energy Agency, that the Soviet government admitted that an accident had taken place at Chernobyl.

At first, the Soviets only conceded that a minor accident had occurred, but once they began evacuating more than 100,000 people, the full scale of the situation was realized by the global community. At 21:02 the evening of 28 April, a 20-second announcement was read in the TV news programme Vremya: "There has been an accident at the Chernobyl Nuclear Power Plant. One of the nuclear reactors was damaged. The effects of the accident are being remedied. Assistance has been provided for any affected people. An investigative commission has been set up."

QNAP start "evacuation" by secretly replacing /usr/local/sbin/7z app with a script but did not admit the major accident happened, it is not resolved yet and the case is under investigation.
"Response to Qlocker Ransomware Attacks" published by the marketing department on April 22, 2021 - soviet government style.

The International Effort from more than 40 countries helping to Contain Chernobyl safely.

QNAP community here could help with the investigation and eventually we could save the company.
We should fight with the hackers together. I would better contribute my time and money to prevent loss of data than do data recovery and pay criminals.

It's never too late to admit mistakes. Simple "sorry" works way better than "QNAP, a leading computing, networking and storage solution innovator".

Proper communication with the community is the most important thing QNAP can do at this moment. Do not lie or hide anything, provide some facts to improve understanding of what is really going on. It is ok to ask for help.

Any luck to get help from government authorities?
Did anyone report to them about current ransomware attacks against QNAP?

https://www.ic3.gov/Home/Ransomware
https://www.cisa.gov/ransomware
https://cyber.gc.ca/en/ransomware-how-r ... back-track

[Barboots]

I wonder why Qnap didn’t send email to all registered users? Qlocker started on 4/19. My files were encrypted on 4/22. I just found out the attack today (4/27). If Qnap had sent email to me, my files could have been saved!

I received an email 5 hours ago.

Bravo Qnap

[Mousetick]

My comment was merely about the word chaos in the code... pretty sure that in modern times dev teams do not write tons of annotations and comments into the actual code, they would use external dev tools / version trackers for this. (I have seen people use Jira/Atlassian)

But I am not a software dev .. so I could be wrong.

FWIW, I'm a (former) software pro. Annotations and comments within the code itself are actually a good practice and are still done today. There's nothing wrong with this HBS code, it's actually pretty "clean" by Python coding standards, and in comparison with other readily available QNAP source code, such as their shell scripts for ex.

I understand it can look like chaos to you. Normally you should not be able to see the source code of proprietary software, so you wouldn't be able to tell anyway.

[perkins]

I have a qnap firewall activated and have the geo restrictions activated. Only trafic from my country is accepted. Does anyone know if the geo restrictions in firewall blocks this kind of attack (if it is not coming from the same coutry where I am)?

[Aaronbossig]

New Security Advisory from QNAP:

Code: Select all

AgeLocker Ransomware

    Release date: April 29, 2021
    Security ID: QSA-21-15
    Severity: High
    Affected products: All QNAP NAS
    Status: Investigating

Revision History: V1.0 (April 29, 2021) - Published    

Do they misprint the name "AgeLocker" instead "Qlocker"? According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:

Code: Select all

AgeLocker Ransomware

    Release date: September 25, 2020
    Security ID: QSA-20-06
    Severity: High
    CVE identifier: N/A
    Affected products: QNAP NAS devices
    Status: Resolved

Revision History: V1.0 (September 25, 2020) - Published

Or we have multiple ransomware attacks against QNAP with unknown vectors at this moment?

At least eCh0raix ransomware is active now. You would be surprised to find the topic https://www.bleepingcomputer.com/forums ... 20ech0raix

So, QNAP currently investigating "AgeLocker Ransomware" (previously was declared as resolved), but Qlocker and eCh0raix have no "Investigating" status, users just pay the ransom.

"According to QNAP QSA-20-06 with the same Subject, the problem was resolved last year:"

This was patched last year. We just found someone with this malware. But we also found that person had old firmware. So we are investigating to see if this was infected through the old attack vector that was patched in 2020 or if there is a new attack vector. We intend to update the security advisory when we know more.

Daniel,

I think the manner in which QNAP has handled this has been nothing short of negligent, and their public communications a combination of incompetent and tone-deaf. That said, I do not fault you specifically for the overall strategy of your employer, and would like to thank you for your input.

My question: How much is known about the hard-coded logins and back doors, and is any effort being made to patch those out? I'm a user who has lost no data due to this, but have lost a huge amount of time in recovery, as well as a lot of faith in Qnap as a company.

Right now, the question I am asking myself is, can I let this basically-new Qnap NAS live it's useful life before I replace it, or do I truly need to scrap it and buy a brand I can trust. Because right now, I absolutely do not trust Qnap.

[Mousetick]

I have a qnap firewall activated and have the geo restrictions activated. Only trafic from my country is accepted. Does anyone know if the geo restrictions in firewall blocks this kind of attack (if it is not coming from the same coutry where I am)?

It doesn't block this kind of attack at all. It can come from anywhere. Why assume that it can't come from your country?

Furthermore, the IP-geolocation database that is used by QNAP's firewall is not guaranteed to be accurate nor up-to-date. IP blocks are constantly reassigned or relocated.

[marklyn]

regarding the above security advisory dated 04/29/2021... I have not received any emails from QNAP today nor any other day regarding critical or high importance yet, my tickbox is checked on their website to receive security alerts.
Does anyone have the same problem? Not sure what I can do to fix something that doesn't appear to be a problem but actually is.

[oyvindo]

@QNAPDanielFL,
Exactly what authority do you have within the QNAP organisation?
Are you authorized to speak publicly on behalf of this company?
Or are you just another "hobbyist" (like most of us) who happens to also have a "job" at QNAP?
(Or are you not in any way affiliated with the QNAP company?)

Rgds
Oyvind.

[infotecmb]

I think the whole 'walter' thing may be a red herring. If you still have access to the vulnerable version of HBS, or to the files that were recently quarantined by Malware Remover, you may want to search for the word 'backdoor' instead, and you may find something.

I did find an actual authentication bypass, which I believe is the real thing, but I only have access to old Python files from a couple years ago (from the time I uninstalled HBS from my NAS) and I can't confirm if this backdoor was still present in recent versions.

Have you found jisoosocoolhbsmgnt sid in file /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/cgi/hbs_mgnt.py? Last time modified on 2021-02-22:

Code: Select all

def check_sid(sid, tr_logger):
    if sid == 'jisoosocoolhbsmgnt':
        tr_logger.info('using backdoor sid...')
        return

That "backdoor" is inactive because 'jisoosocoolhbsmgnt' is 19 characters long while the sid length is 9 for new FW and 33 for old FW.
In Python "return" without the return value is implicitly returning None. With the real sid, it should return the account name.

'walter' thing is a good example of when developers' code is the same as production, but instead of a test environment, it is distributed worldwide.
Malware Remover identifies this code as Malware ID: MR2102, but it is present in the most recent version of the HBS app.

HybridBackup/rr2/cgi folder has more than 12000 lines of code. Everyone could read the code to learn how HBS works. Spending more time on it you will find 'walter' is mostly commented out or used for test purposes, but who knows maybe one of them is uncommented somewhere.

SAM's security found some vulnerabilities https://securingsam.com/new-vulnerabili ... -takeover/ and disclosed them to QNAP and I believe that particular security holes have been recently fixed. We do not know if Qlocker using just that vulnerabilities or something else.

In the new firmware, QTS 4.5.3.1652 Build 20210428, multiple new vulnerabilities got fixed:

• Fixed a DOM-based cross-site scripting vulnerability (CVE-2021-28806)
  Fixed a command injection vulnerability (CVE-2021-28800)
  They have fixed the vulnerabilities in the following apps: Surveillance Station, QVPN Service, Qfiling, Qsync Central, QcalAgent, and IFTTT Agent
  Modified various HTTP header default configurations to enhance device security, including X-Content-Type-Options, X-XSS-Protection, and HTTP Strict-Transport-Security (HSTS)
  Web Server service is now disabled by default
  App Center automatically installs required updates by default
  QTS automatically installs recommended firmware updates by default
  QTS automatically checks SQL Server password and disables the service if users still use the default password

Is it enough to say Qlocker issue has been successfully mitigated or we do not know yet?

[Mousetick]

Have you found jisoosocoolhbsmgnt sid in file /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/cgi/hbs_mgnt.py? Last time modified on 2021-02-22:

Code: Select all

def check_sid(sid, tr_logger):
    if sid == 'jisoosocoolhbsmgnt':
        tr_logger.info('using backdoor sid...')
        return

That "backdoor" is inactive because 'jisoosocoolhbsmgnt' is 19 characters long while the sid length is 9 for new FW and 33 for old FW.
In Python "return" without the return value is implicitly returning None. With the real sid, it should return the account name.

So you've found it too in recent code, good.

No, that's not how it works, at least in the version of the code I've been looking at.

check_sid doesn't return anything, it simply validates the session id and throws an exception (which will immediately terminate HTTP request processing on the server side and return an error to the client) if it's not valid. If the session id is equal to the backdoor id, the code doesn't care whether the session id is 9 or 33 characters long, or whether it's formatted correctly - it returns immediately - that is a bypass by definition. Then the HTTP request processing continues as if it were properly authenticated...

So IMHO by the looks of it this code is not inactive and could work as intended.

[syncthing]

I did find an actual authentication bypass, which I believe is the real thing, but I only have access to old Python files from a couple years ago (from the time I uninstalled HBS from my NAS) and I can't confirm if this backdoor was still present in recent versions.

Code: Select all

grep -r backdoor

malwareremover removed 2 days ago some code in hbs_mgnt.py which had this special SID (the function check_sid is not only 3 lines long)