[RANSOMWARE] 4/20/2021 - QLOCKER

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
One2go
Starting out
Posts: 38
Joined: Sun Jul 12, 2009 1:56 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by One2go » Thu Apr 29, 2021 7:05 am

To the breaking of new records of hypocrisy there is no end with QNAP and for some a joke that really hurts and hard to take.

https://www.qnap.com/solution/ransomware/en-us/

ozstar
Know my way around
Posts: 184
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Thu Apr 29, 2021 7:06 am

I am still in the middle of trying to access my files through PuTTY and PhotoRec but I have just noticed a new Firmware is now available.

Should I install it or wait until I see if I can get my files unencrypted.

P3R
Guru
Posts: 12636
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R » Thu Apr 29, 2021 7:48 am

Mousetick wrote:
Tue Apr 27, 2021 10:19 pm
You're talking specifically about QLocker attacks, right?
Yes.
I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.
Both you and infotecmb made statements that made it sound as if your hypothesis was already a verified truth. That's why I asked both of you to clarify as I have not seen Qnap confirm that the web admin port is the only way all of these vulnerabilities are being misused.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess. :cry:
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

P3R
Guru
Posts: 12636
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R » Thu Apr 29, 2021 8:13 am

OneCD wrote:
Thu Apr 29, 2021 4:36 am
So, QNAP sent a security bulletin from the marketing address? Someone at QNAP needs a kick in the pants.
You're right of course but I can think of a few more reasons they need some kicks.

One would have thought that they had learned from the Qsnatch disaster. After that they promised they would improve, yet here we are again a year later.

But now they really, really promise to improve so in the future we can all feel safe...
QnapDanielFL wrote: Our security should have been better. We are making it better now.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

Mousetick
Been there, done that
Posts: 956
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Thu Apr 29, 2021 8:45 am

P3R wrote:
Thu Apr 29, 2021 7:48 am
Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess. :cry:
You're right. It looks to me as if QNAP is more interested in protecting themselves than helping their customers.
I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.
Here are a couple more pieces of info to explain what likely happened.

1. Excerpt from security alert email sent by QNAP on April 21-22 while the attacks were in full swing:
hbs1.png
To "log in" to a device, you normally use the QTS login page. Both authentication and interaction with an application such as HBS, is done via the QTS web port (8080, 443 by default). With this HBS vulnerability, you don't need to know any specific username or password, you use the hardcoded backdoor and you're in with the admin user privileges. Furthermore HBS had a command injection vulnerability, allowing execution of arbitrary commands. Both combined basically give complete control of the system.

2. Excerpt from a news article published by Bleeping Computer on April 22:
hbs2.png
QNAP removes backdoor account in NAS backup, disaster recovery app
You do not have the required permissions to view the files attached to this post.

P3R
Guru
Posts: 12636
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R » Thu Apr 29, 2021 8:49 am

I received mails about Security Advisories related to Qlocker on the 19th (QTS and media streaming add-on) and on the 22nd (HBS).

To make sure you get notifications when Security Advisories are published;
  1. Go to the Qnap site
  2. Click the Sign-in-button in the upper right corner and log in
  3. Click the icon that have replaced the Sign-in-button in the upper right corner and select Account Center in the menu
  4. Click My Subscriptions and make sure you select at least Security Advisories before activating and saving your subscriptions.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

P3R
Guru
Posts: 12636
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by P3R » Thu Apr 29, 2021 9:29 am

Mousetick wrote:
Thu Apr 29, 2021 8:45 am
To "log in" to a device, you normally use the QTS login page. Both authentication and interaction with an application such as HBS, is done via the QTS web port (8080, 443 by default). With this HBS vulnerability, you don't need to know any specific username or password, you use the hardcoded backdoor and you're in with the admin user privileges. Furthermore HBS had a command injection vulnerability, allowing execution of arbitrary commands. Both combined basically give complete control of the system.
It doesn't clearly say that it's through the web admin page. I'm not saying this to criticize you but I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

You have an authentication in the RTRR server that is separate from the regular NAS user accounts and the hardcoded account could also be such a HBS/RTRR-specific account. If so the HBS vulnerability could be through an open RTRR port. With a command-injection vulnerability in HBS/RTRR on top of that you could affect anything in QTS. I wouldn't at this point rule out the RTRR-port as a separate attack vector.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

wydeng
New here
Posts: 4
Joined: Wed Apr 28, 2021 11:05 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by wydeng » Thu Apr 29, 2021 11:54 am

I asked QNAP why they didn't send out email. Here is the reply from the support:
"We issue an advisory when vulnerabilities are discovered. We cannot send the advisory emails unless subscribed as we need your consent to email you. "

and second reply:
"I understand that this is an emergency situation but if we sent out an unsolicited email notification to all contacts our email servers would get reported as spammers and would be blocked globally for all messaging. This is why the notifications require subscription."

I checked my Qnap account in the subscription section. There are 13 categories. The only category I didn't subscribe was security bulletin. I don't believe I chose them. Must be some kind of default settings:
subscription.JPG
I am really worried about the other Qnap users who are still unaware of this problem. Qlocker is still out there searching for victims. Qnap can do better than this!
You do not have the required permissions to view the files attached to this post.

Mousetick
Been there, done that
Posts: 956
Joined: Thu Aug 24, 2017 10:28 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Mousetick » Thu Apr 29, 2021 12:20 pm

P3R wrote:
Thu Apr 29, 2021 9:29 am
I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

I wouldn't at this point rule out the RTRR-port as a separate attack vector.
Nobody outside QNAP can know for sure so I'd suggest you contact them and demand a straight answer from them.

I wouldn't mind if my best guess were proven wrong. Please share your confirmation once you have received it. Thanks :)

ColHut
Getting the hang of things
Posts: 72
Joined: Sat Oct 14, 2017 12:13 am

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ColHut » Thu Apr 29, 2021 1:36 pm

QNAPDanielFL wrote:
Thu Apr 29, 2021 1:35 am
agarceran wrote:
Wed Apr 28, 2021 11:08 pm
Just noticed my files were encripted... after I had rebooted to aply a firmware update.

Still waiting for any comunication from QNAP whatsoever, could have avoided all this if they had just sent an amail on the 21th, or 22th... it is the 28th for QNAP's sake. I have a partial backup of the most important files but some files are completely lost and I'm not paying. Worse, I discovered it just as I had to go to work, had to left the NAS shutdown and walk away and I am feeling phisically ill. Before I left home I thought it was one of my computers that was at fault but now I found out it was the NAS that got hacked by the qnapcloud, and no, having the nas disconnected from the internet is just like having a dumb USB drive. Sure it was one of the cheap models and with only 5 tb harddrives, but it was advertised as having all those online capabilities I like to use... I am very, very disapointed and just bought a big USB drive and see what I can salvage...

Now I have to buy a boat, so I can repurpose this POS as a boat anchor as suggested by a reddit post.
I am sorry this happened to you. Our security should have been better. We are making it better now.
I understand that disconnecting the NAS from the internet will remove much of its usefulness.
We have QVPN to let you access the NAS remotely in a secure way. Would a VPN allow you to remote access the NAS in all the ways you would need for your use case?
Daniel,

for a typical end user there is not much to show how this all vpn stuff works. There is a guide to set up your NAS(es) as VPN servers or clients with QVPN. There is a guide of sorts on using HBS. So maybe you have all six cans, but it is missing the plastic thingy that holds them all together. A guide for end user showing how to get them to work together and what needs to be enabled/disabled might be a good start.

Regards

ozstar
Know my way around
Posts: 184
Joined: Mon Mar 13, 2017 3:33 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by ozstar » Thu Apr 29, 2021 1:38 pm

Well after days of frustration and reading and reading and reading and googling until I was on the verge of madness,

I tried again for the 3rd time to follow Xandl's tutorial to try and get my files back using PuTTy. The first times I got stuck and gave up. But thank heavens I tried once again.

I read it again and then went to the YouTube tutorial based on this script and followed it to the let, slow and easy.

https://www.youtube.com/watch?v=qv9mri_xHg0

Guess what? It works !! At time of post 28k recovered 35 hours 46 mins to completion.

My files are being copies over as you read this. So far 20 directories full of about 20k of files are now on my external Win 10 drive with many per second being copied.

These are the files those scum criminals deleted after they encrypted them with 7z. The deleted files are still there for Photorec to retrieve.
They are not named except for numbers, but that is okay, just have to rename them. Better than having to try and find them all again.

If you are struggling, follow the YouTube video and read the tutorial on the Beeping Computer site.

NOTE: near the end of the YouTube tutor, there are a couple of commands that are not on the web tutor. I did what was on YouTube exactly and it does work.The YouTube

https://www.bleepingcomputer.com/forums ... -nas-hack/

Good luck to all and many thanks to xandl at Beeping and TFI at YouTube.

dmccormack
Starting out
Posts: 27
Joined: Wed Apr 27, 2011 9:13 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by dmccormack » Thu Apr 29, 2021 3:44 pm

I see in the latest firmware release notes that the firmware autoupdate is now enabled by default. After installing the update, I looked under Auto Update tab. But it is not very clear, if anything it is confusing.
You can now set a schedule to check and install updates (daily, weekly and monthly). And there are 2 check boxes underneath, Recommended Version and Latest Version.

I just want to turn off auto updates, I don't want the NAS randomly rebooting. There is no option under the scheduler to explicitly not schedule firmware updates and installs. If I uncheck both checkboxes, can I assume that the auto updates will not happen?

User avatar
infotecmb
Starting out
Posts: 23
Joined: Thu Sep 03, 2015 11:46 am
Location: Canada

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by infotecmb » Thu Apr 29, 2021 4:33 pm

P3R wrote:
Thu Apr 29, 2021 7:48 am
I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.
Both you and infotecmb made statements that made it sound as if your hypothesis was already a verified truth. That's why I asked both of you to clarify as I have not seen Qnap confirm that the web admin port is the only way all of these vulnerabilities are being misused.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess. :cry:
Since day one of the attack, I do read all messages in this and bleepingcomputer QLocker topics.
My main unaffected QNAP with 80TB of data is powered off until I will find out how this attack happened to be 100% sure it is safe to turn it back on.
Meanwhile, I manually protect two other unaffected QNAPs that can't be unplugged.

We could make only assumptions based on the information disclosed by QNAP or their actions.

It looks like HBS 3 Hybrid Backup Sync is the main trouble, but:
1) we do not know if anyone with QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later was affected or not
2) when next version of HBS 3 Hybrid Backup Sync > 16.0.0419 for QTS 4.5.2 will be released with the real fix or at least with junk code cleaned out
3) QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0419 released on 2021/04/22 does not have any security fixes

From the latest news:

Code: Select all

HBS 3 Hybrid Backup Sync 3.0.210411
( 2021/04/29 )
[Applicable Models]
- End-of-life NAS models running QTS 4.3.3 or 4.3.4
 
[Important Notes]
- This is a security update for end-of-life NAS models running QTS versions 4.3.3 and 4.3.4.
 
[Security Updates]
- Fixed a security vulnerability.
It sounds like confirmation of the problem. Support for end-of-life products is a rare occasion and happens only in case of really serious issues.

The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".

Go to your QNAP and issue the following command (you can also download attached output):

Code: Select all

cd /share/CACHEDEV1_DATA/.qpkg/HybridBackup/ ; grep -r -i walter *
Looks like "walter" is that hard-coded password when you see the following:

Code: Select all

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"
I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:
walter.PNG
You do not have the required permissions to view the files attached to this post.

User avatar
Razorblade
Starting out
Posts: 11
Joined: Thu Apr 22, 2021 7:14 pm

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by Razorblade » Thu Apr 29, 2021 4:35 pm

wydeng wrote:
Thu Apr 29, 2021 11:54 am
[..]
I checked my Qnap account in the subscription section. There are 13 categories. The only category I didn't subscribe was security bulletin. I don't believe I chose them. Must be some kind of default settings:
[..]
Yes, those are the default bulletin subscription options.
You know, the bulletin is for marketing purposes, and it would not be beneficial to their business that people knew about all vulnerabilities of their products. So that category is disabled by default.

infotecmb wrote:
Thu Apr 29, 2021 4:33 pm
[..]

Looks like "walter" is that hard-coded password when you see the following:

Code: Select all

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"
I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:
Thank you Walter Shao, best engineer ever! 👏👏👏👏👏 This is really good for your CV! Oh, and you owe a few people 0.01 BTC...

jacobite1
Easy as a breeze
Posts: 375
Joined: Fri Aug 07, 2015 7:02 pm
Location: London, England

Re: [RANSOMWARE] 4/20/2021 - QLOCKER

Post by jacobite1 » Thu Apr 29, 2021 4:53 pm

infotecmb wrote:
Thu Apr 29, 2021 4:33 pm
Looks like "walter" is that hard-coded password when you see the following:

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

walter.PNG
I would be laughing if this wasn't so utterly, utterly basic.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!

Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!

Post Reply

Return to “Users' Corner”