MR2102 message from Malware Remover does not mean you were infected. It means a vulnerability was patched

[QNAPDanielFL]

Some people are getting a message like this.
"Message: [Malware Remover] Removed vulnerable files or folders. Malware ID: MR2102"

This does not mean you got malware. It means Malware remover removed a vulnerability.

To understand what happened, jwsconsult from Reddit figured it out.

https://www.reddit.com/r/qnap/comments/ ... &context=3

"MR2102 error this morning is new definition that removes the /rr2/cgi/ directory under HBS3. This does not mean you've been infected, it's removing the python files that were the possible source of infection to try to get ahead of things. "



I was told from our security team, " In fact, if users saw the message, it means the vulnerability patched."

Because this message is scaring many people, "MR team just rollbacked the rule temporarily

Tomorrow, we will deploy new rule again"

We will try to implement this in a way that does not make it look like you just got malware.

[Kngstnguy]

Their lack of communication is really appalling lately.... I'm seeing a LOT of people who are fed up with this lack of communication, the timeliness of the alerts, the speed at which they are addressing them, and the lack of acknowledgement.

Hard-coded access credentials? Where is their software quality control?

[Toxic17]

What I do not understand most users are torolling the forums, yet QNAP decides to post stuff on their website as if we are waiting with baited breathe on their website 24/7

We will try to implement this in a way that does not make it look like you just got malware.

May I make a suggestion that the QNAP PSIRT Team post directly onto the forums (in a "Security" Sub Forum) to Inform users/customers of Security Vulnerabilities in the light of "no communication" saga rather than searching the web for some form of answer via guess work of the Reddit and Qnap communities.

I know this probably wont happen, but I can only ask.

[Cbrad01]

Yes QNAP should be active on the form.
I work in software development and understand there are bugs, problems and sometimes developers put in crap.
With that said the lack of communication and transparency is my issue.
I love the hardware and overall am happy with the software. From a cost to benefit picture QNAP is great.
Just be more open and stop recommending horrible solutions that create so much risk.
Improve the VPN solution and force all of the personnel cloud crap through VPN.
It would not take much to turn QNAP cloud into a world class secure personal cloud and create monthly revenue. A few bucks for secure VPN access back to my NAS and home internet.
Their product line is geared towards the 90s before there was as much hacking, not towards today’s world


Sent from my iPhone using Tapatalk

[kbyrd]

To understand what happened, jwsconsult from Reddit figured it out.
...
We will try to implement this in a way that does not make it look like you just got malware.

One thing that has always bothered me about Malware Remover is the log messages it leaves do not provide enough information for us to figure out what happened on our own. Some concrete suggestions:

1) If a rule like this (pre-emptive vulnerability) the description should say so. If that isn't possible, it should be easy to look up the code (MR2102 in this case) should be easy to look up on QNAP's site and give more explanation. With this in place we wouldn't have to swap QNAP support.

2) Log messages from Malware Remove should be specific about what was done. Which files or directories were quarantined or deleted? Why is do I have to dig in the `.quarantine` folder for this information?

[Toxic17]

2) Log messages from Malware Remove should be specific about what was done. Which files or directories were quarantined or deleted? Why is do I have to dig in the `.quarantine` folder for this information?

The problem is QNAP does not want you to find out how bad the Vulnerability is especially when passwords are left in plain text. they dont want to admit they messed up and end up being liable to prosecution.

[Ramias]

Honestly at this point I think a supply chain attack is my biggest risk.

1. UPNP not enabled on router
2. UPNP Disabled on QNAP
3. No ports published on router at all
4. No MyQNAPCloud
5. Latest firmware/software/definitions as of today
6. IP Access Restrictions limiting inbound connections to my local subnet

Maybe I'm naive, but at this point I think remote code execution via qnap software that runs under a privileged account to be my biggest risk.

I've disabled auto-update for the firmware and for Malware remover.

I'd love for QNAP to have some transparency and publish their security processes, but given the impact of this bug I think I'm better off on my own (and yes I also have static backups) than I am with unknown updates showing up on my machine.

[Skwor]

Honestly at this point I think a supply chain attack is my biggest risk.

1. UPNP not enabled on router
2. UPNP Disabled on QNAP
3. No ports published on router at all
4. No MyQNAPCloud
5. Latest firmware/software/definitions as of today
6. IP Access Restrictions limiting inbound connections to my local subnet

Maybe I'm naive, but at this point I think remote code execution via qnap software that runs under a privileged account to be my biggest risk.

I've disabled auto-update for the firmware and for Malware remover.

I'd love for QNAP to have some transparency and publish their security processes, but given the impact of this bug I think I'm better off on my own (and yes I also have static backups) than I am with unknown updates showing up on my machine.

Ya I have gone to a full local and isolated back up manual only then relay that data to a cloud service independent of the NAS. I scan and verify the data first then I connect the HDD back up and run the sync manually, after which I air gap the back up HDD again. Until this sorts out I have no faith in QTS and the APPS at the moment. Fortunately since I back up only the movie database for a Plex Server and home photos this is not to cumbersome, every few days of effort basically.

[One2go]

This whole situation is getting beyond ridiculous. QNAP resembles a fly by night outfit with its headquarters in some garage. Did ownership of QNAP change and they are now run by Ronald McDonald the clown.

Here is something to be said for still running firmware 4.3.6 from 2019 on both my NASs and not being infected!!! None of the apps that were used for attacks were present, no MM Console, no Hybrid backup, no QSync Central, no Multimedia streaming Add-on. WTF were they thinking when they released these not ready for prime time abortions. I just made sure that plain sensible security protection has been enacted as many have pointed out here. QNAP wanted to develop a NAS that is the equivalent of a Swiss army knife and in their version they included a blade to commit Harakiri. What an utter failure in providing support when they have a disaster on their hand that was of their own making. QNAP is EOL for me when considering upgrading equipment.

[Cbrad01]

Spot on, it’s like they rushed our features with no QC


Sent from my iPhone using Tapatalk

[Toxic17]

This whole situation is getting beyond ridiculous. QNAP resembles a fly by night outfit with its headquarters in some garage. Did ownership of QNAP change and they are now run by Ronald McDonald the clown.

Here is something to be said for still running firmware 4.3.6 from 2019 on both my NASs and not being infected!!! None of the apps that were used for attacks were present, no MM Console, no Hybrid backup, no QSync Central, no Multimedia streaming Add-on. WTF were they thinking when they released these not ready for prime time abortions. I just made sure that plain sensible security protection has been enacted as many have pointed out here. QNAP wanted to develop a NAS that is the equivalent of a Swiss army knife and in their version they included a blade to commit Harakiri. What an utter failure in providing support when they have a disaster on their hand that was of their own making. QNAP is EOL for me when considering upgrading equipment.

I personally hope someone investigates this whole saga.

Questions need answered.

Who apart from the hackers, benefits out of this whole saga? People leave QNAP in their droves and go to another supplier.

If backdoors were known to staff do they still belong to the company? Had they left? Corporate sabotage?

Has QNAP themselves been hacked? If QNAP cloud detail were used the NASes could be systematically targeted with ease.

I guess they don’t even need to be hacked either. The biggest threat to security is from within.

an employee passes key information to the hackers or is a hacker themselves.

All conspiracy but all also plausible.

Food for thought


Sent from my iPhone

[Mousetick]

All conspiracy but all also plausible.

If you don't mind I'll speculate wildly a bit while you're theorizing conspiracies

If the vulnerability exploited by QLocker was indeed the hardcoded backdoor in HBS, the timing of events is quite peculiar. It appears the backdoor had existed and remained both unknown by QNAP and unexploited by hackers for a long while, and yet the attacks started shortly before the HBS security update was released, in a weird race to reach the devices. By several accounts it seems the attackers were rushed: a security researcher found that the ransom payment system was initially buggy and could be circumvented to obtain encryption keys, some victims have reported that their files were simply 7zip'ed without a password. So it would appear that the attackers became aware of the vulnerability in about the same timeframe as QNAP.

The CVE for the HBS vulnerability was created on 03/18/2021 (link), so this is the latest date at which they were informed by ZUSO (a white hat company in TW). They may have been informed earlier than that, but no later.

Another peculiar tidbit is that the unused leftover HBS source code which contains the hardcoded backdoor and was hastily "vacuumed" by Malware Remover yesterday, contains code and notes written in correctly spelled and grammatically correct English language, which is rather uncharacteristic of QNAP. This makes me think either the development of HBS 3 was outsourced to a 3rd party, or perhaps done in-house but off-shore (QNAP has a fairly large office including some R&D in California, USA). Either way, this could explain why QNAP HQ themselves didn't know about the vulnerability for a long time and it took quite a while for them to fix it.

[One2go]

This is the absolute height of hypocrisy and a joke that really hurts for some.

https://www.qnap.com/solution/ransomware/en-us/

[doingnz]

The information from QNAP regarding the Malware Removal Tool appears to be incorrect.
The encryption attack on my QNAP started 22-April-2021 09:17 am.
The Malware Removal Tool logged the MS2102 message on 24-April-2021.
The encryption continued till 4th-May-2021 and would have continued had I not been asked to fetch files from this infrequently used server.
The encryption only stopped when the server was patched and rebooted early am on 4th.
As QNAP had not contacted me about the vulnerability circa 24th April (or earlier) i was not aware of the need to NOT reboot the server to recover the password first.
As attack was running for so long, I have over 700 GB of 7z files!
So far the only suggestion from QNAP is to run PhotoRec in the hopes it can recover files that have not been overwritten.
Given the severity of problem, the Malware Removal Tool should have done something farm more dramatic to get users attention.
It should have automatically recovered the password and logged is safely and then forced NAS to bleep incessantly to attract attention.

There is a secondary problem where the NAS did not send out email notifications, even with the correct SMTP credentials. I have 8000+ unsent notifications. When I click resend, it says it was sent successfully, but I don't receive the emails. A tragic list of errors that have smashed confidence in the brand that was meant to protect our data.