P3R wrote: ↑Thu Apr 29, 2021 7:48 am
I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.
Both you and infotecmb made statements that made it sound as if your hypothesis was already a verified truth. That's why I asked both of you to clarify as I have not seen Qnap confirm that the web admin port is the only way all of these vulnerabilities are being misused.
I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.
Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess.
Since day one of the attack, I do read all messages in this and bleepingcomputer QLocker topics.
My main unaffected QNAP with 80TB of data is powered off until I will find out how this attack happened to be 100% sure it is safe to turn it back on.
Meanwhile, I manually protect two other unaffected QNAPs that can't be unplugged.
We could make only assumptions based on the information disclosed by QNAP or their actions.
It looks like HBS 3 Hybrid Backup Sync is the main trouble, but:
1) we do not know if anyone with QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later was affected or not
2) when next version of HBS 3 Hybrid Backup Sync > 16.0.0419 for QTS 4.5.2 will be released with the real fix or at least with junk code cleaned out
3) QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0419 released on 2021/04/22 does not have any security fixes
From the latest news:
Code: Select all
HBS 3 Hybrid Backup Sync 3.0.210411
( 2021/04/29 )
[Applicable Models]
- End-of-life NAS models running QTS 4.3.3 or 4.3.4
[Important Notes]
- This is a security update for end-of-life NAS models running QTS versions 4.3.3 and 4.3.4.
[Security Updates]
- Fixed a security vulnerability.
It sounds like confirmation of the problem. Support for end-of-life products is a rare occasion and happens only in case of really serious issues.
The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "
walter".
Go to your QNAP and issue the following command (you can also download attached output):
Code: Select all
cd /share/CACHEDEV1_DATA/.qpkg/HybridBackup/ ; grep -r -i walter *
Looks like "
walter" is that hard-coded password when you see the following:
Code: Select all
"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC' # --> 'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI' # --> 'walter' --> fw decrypted
"name": "waltershao"
I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.
The code has 27 occurrences of e-mails:
waltershao@gmail.com or
walterentry20140225@gmail.com in the code.
According to LinkedIn,
Walter Shao is QNAP Technical Manager since 2013:
walter.PNG
You do not have the required permissions to view the files attached to this post.