[RANSOMWARE] Qlocker

[P3R]

So, QNAP sent a security bulletin from the marketing address? Someone at QNAP needs a kick in the pants.

You're right of course but I can think of a few more reasons they need some kicks.

One would have thought that they had learned from the Qsnatch disaster. After that they promised they would improve, yet here we are again a year later.

But now they really, really promise to improve so in the future we can all feel safe...

Our security should have been better. We are making it better now.

[Mousetick]

Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess.

You're right. It looks to me as if QNAP is more interested in protecting themselves than helping their customers.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Here are a couple more pieces of info to explain what likely happened.

1. Excerpt from security alert email sent by QNAP on April 21-22 while the attacks were in full swing:

hbs1.png

To "log in" to a device, you normally use the QTS login page. Both authentication and interaction with an application such as HBS, is done via the QTS web port (8080, 443 by default). With this HBS vulnerability, you don't need to know any specific username or password, you use the hardcoded backdoor and you're in with the admin user privileges. Furthermore HBS had a command injection vulnerability, allowing execution of arbitrary commands. Both combined basically give complete control of the system.

2. Excerpt from a news article published by Bleeping Computer on April 22:

hbs2.png

QNAP removes backdoor account in NAS backup, disaster recovery app

[P3R]

I received mails about Security Advisories related to Qlocker on the 19th (QTS and media streaming add-on) and on the 22nd (HBS).

To make sure you get notifications when Security Advisories are published;

1. Go to the Qnap site
2. Click the Sign-in-button in the upper right corner and log in
3. Click the icon that have replaced the Sign-in-button in the upper right corner and select Account Center in the menu
4. Click My Subscriptions and make sure you select at least Security Advisories before activating and saving your subscriptions.

[P3R]

To "log in" to a device, you normally use the QTS login page. Both authentication and interaction with an application such as HBS, is done via the QTS web port (8080, 443 by default). With this HBS vulnerability, you don't need to know any specific username or password, you use the hardcoded backdoor and you're in with the admin user privileges. Furthermore HBS had a command injection vulnerability, allowing execution of arbitrary commands. Both combined basically give complete control of the system.

It doesn't clearly say that it's through the web admin page. I'm not saying this to criticize you but I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

You have an authentication in the RTRR server that is separate from the regular NAS user accounts and the hardcoded account could also be such a HBS/RTRR-specific account. If so the HBS vulnerability could be through an open RTRR port. With a command-injection vulnerability in HBS/RTRR on top of that you could affect anything in QTS. I wouldn't at this point rule out the RTRR-port as a separate attack vector.

[wydeng]

I asked QNAP why they didn't send out email. Here is the reply from the support:
"We issue an advisory when vulnerabilities are discovered. We cannot send the advisory emails unless subscribed as we need your consent to email you. "

and second reply:
"I understand that this is an emergency situation but if we sent out an unsolicited email notification to all contacts our email servers would get reported as spammers and would be blocked globally for all messaging. This is why the notifications require subscription."

I checked my Qnap account in the subscription section. There are 13 categories. The only category I didn't subscribe was security bulletin. I don't believe I chose them. Must be some kind of default settings:

subscription.JPG

I am really worried about the other Qnap users who are still unaware of this problem. Qlocker is still out there searching for victims. Qnap can do better than this!

[Mousetick]

I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

I wouldn't at this point rule out the RTRR-port as a separate attack vector.

Nobody outside QNAP can know for sure so I'd suggest you contact them and demand a straight answer from them.

I wouldn't mind if my best guess were proven wrong. Please share your confirmation once you have received it. Thanks

[ColHut]

Just noticed my files were encripted... after I had rebooted to aply a firmware update.

Still waiting for any comunication from QNAP whatsoever, could have avoided all this if they had just sent an amail on the 21th, or 22th... it is the 28th for QNAP's sake. I have a partial backup of the most important files but some files are completely lost and I'm not paying. Worse, I discovered it just as I had to go to work, had to left the NAS shutdown and walk away and I am feeling phisically ill. Before I left home I thought it was one of my computers that was at fault but now I found out it was the NAS that got hacked by the qnapcloud, and no, having the nas disconnected from the internet is just like having a dumb USB drive. Sure it was one of the cheap models and with only 5 tb harddrives, but it was advertised as having all those online capabilities I like to use... I am very, very disapointed and just bought a big USB drive and see what I can salvage...

Now I have to buy a boat, so I can repurpose this POS as a boat anchor as suggested by a reddit post.

I am sorry this happened to you. Our security should have been better. We are making it better now.
I understand that disconnecting the NAS from the internet will remove much of its usefulness.
We have QVPN to let you access the NAS remotely in a secure way. Would a VPN allow you to remote access the NAS in all the ways you would need for your use case?

Daniel,

for a typical end user there is not much to show how this all vpn stuff works. There is a guide to set up your NAS(es) as VPN servers or clients with QVPN. There is a guide of sorts on using HBS. So maybe you have all six cans, but it is missing the plastic thingy that holds them all together. A guide for end user showing how to get them to work together and what needs to be enabled/disabled might be a good start.

Regards

[ozstar]

Well after days of frustration and reading and reading and reading and googling until I was on the verge of madness,

I tried again for the 3rd time to follow Xandl's tutorial to try and get my files back using PuTTy. The first times I got stuck and gave up. But thank heavens I tried once again.

I read it again and then went to the YouTube tutorial based on this script and followed it to the let, slow and easy.

https://www.youtube.com/watch?v=qv9mri_xHg0

Guess what? It works !! At time of post 28k recovered 35 hours 46 mins to completion.

My files are being copies over as you read this. So far 20 directories full of about 20k of files are now on my external Win 10 drive with many per second being copied.

These are the files those scum criminals deleted after they encrypted them with 7z. The deleted files are still there for Photorec to retrieve.
They are not named except for numbers, but that is okay, just have to rename them. Better than having to try and find them all again.

If you are struggling, follow the YouTube video and read the tutorial on the Beeping Computer site.

NOTE: near the end of the YouTube tutor, there are a couple of commands that are not on the web tutor. I did what was on YouTube exactly and it does work.The YouTube

https://www.bleepingcomputer.com/forums ... -nas-hack/

Good luck to all and many thanks to xandl at Beeping and TFI at YouTube.

[dmccormack]

I see in the latest firmware release notes that the firmware autoupdate is now enabled by default. After installing the update, I looked under Auto Update tab. But it is not very clear, if anything it is confusing.
You can now set a schedule to check and install updates (daily, weekly and monthly). And there are 2 check boxes underneath, Recommended Version and Latest Version.

I just want to turn off auto updates, I don't want the NAS randomly rebooting. There is no option under the scheduler to explicitly not schedule firmware updates and installs. If I uncheck both checkboxes, can I assume that the auto updates will not happen?

[infotecmb]

I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.

Both you and infotecmb made statements that made it sound as if your hypothesis was already a verified truth. That's why I asked both of you to clarify as I have not seen Qnap confirm that the web admin port is the only way all of these vulnerabilities are being misused.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess.

Since day one of the attack, I do read all messages in this and bleepingcomputer QLocker topics.
My main unaffected QNAP with 80TB of data is powered off until I will find out how this attack happened to be 100% sure it is safe to turn it back on.
Meanwhile, I manually protect two other unaffected QNAPs that can't be unplugged.

We could make only assumptions based on the information disclosed by QNAP or their actions.

It looks like HBS 3 Hybrid Backup Sync is the main trouble, but:
1) we do not know if anyone with QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later was affected or not
2) when next version of HBS 3 Hybrid Backup Sync > 16.0.0419 for QTS 4.5.2 will be released with the real fix or at least with junk code cleaned out
3) QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0419 released on 2021/04/22 does not have any security fixes

From the latest news:

Code: Select all

HBS 3 Hybrid Backup Sync 3.0.210411
( 2021/04/29 )
[Applicable Models]
- End-of-life NAS models running QTS 4.3.3 or 4.3.4
 
[Important Notes]
- This is a security update for end-of-life NAS models running QTS versions 4.3.3 and 4.3.4.
 
[Security Updates]
- Fixed a security vulnerability.

It sounds like confirmation of the problem. Support for end-of-life products is a rare occasion and happens only in case of really serious issues.

The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".

Go to your QNAP and issue the following command (you can also download attached output):

Code: Select all

cd /share/CACHEDEV1_DATA/.qpkg/HybridBackup/ ; grep -r -i walter *

Looks like "walter" is that hard-coded password when you see the following:

Code: Select all

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

walter.PNG

[Razorblade]

[..]
I checked my Qnap account in the subscription section. There are 13 categories. The only category I didn't subscribe was security bulletin. I don't believe I chose them. Must be some kind of default settings:
[..]

Yes, those are the default bulletin subscription options.
You know, the bulletin is for marketing purposes, and it would not be beneficial to their business that people knew about all vulnerabilities of their products. So that category is disabled by default.

[..]

Looks like "walter" is that hard-coded password when you see the following:

Code: Select all

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

Thank you Walter Shao, best engineer ever! This is really good for your CV! Oh, and you owe a few people 0.01 BTC...

[jacobite1]

Looks like "walter" is that hard-coded password when you see the following:

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

walter.PNG

I would be laughing if this wasn't so utterly, utterly basic.

[AlastairStevenson]

Go to your QNAP and issue the following command (you can also download attached output):

Wow, but wow!
I did that - it's absolutely horrific.

I'm almost speechless about how shoddy and unprofessional this code is.
It's also packed with rubbish that shouldn't just have been removed but should never have been there in the first place.
My prior confidence in QNAP has now taken a big dive.

[agarceran]

Looks like "walter" is that hard-coded password when you see the following:

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

walter.PNG

I would be laughing if this wasn't so utterly, utterly basic.

I am by no means a security researcher, but usually to get such data for a backdor you need to decompile code, break hashes or whatever. You don't expect to find the credentials in plain text on a config file. I don't know if it was walter or whoever it was that put that there, but they have no busines in the IT world.

Also, on another note, I guess if I only have one almost full storage pool the fact that I installed the updates will mess my chances of actually recovering files with the photorec script right?

[jaysona]

....
The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".

....

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

Omg! This is sooo much lulz!! At the same time, it also WTAF!!??

Also, why the eff were gmail accounts used, and multiple gmail accounts as well!?

This just continues to demonstrate just how incompetent and sketch AF QNAP really is as a company - as well as some of their employees.