Kinda terrifying it managed to overwrite/purge snapshots considering they're supposed to be immune to 'this kind of thing' and a lot of people use them as ransomware protection.
[RANSOMWARE] Qlocker
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
-
- Getting the hang of things
- Posts: 65
- Joined: Tue Aug 08, 2017 1:04 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
How many of your devices were affected, guessing you know how they got in too?jaysona wrote: ↑Fri Apr 23, 2021 11:58 pmI am not fan of Micro$oft Winblows by any stretch, but at least M$ publishes their security patches in advance, provide a modicum of documentation with their KB articles and provide the user the option to download and apply the patch on the users terms vs just silently and surreptitiously making changes.dolbyman wrote: ↑Fri Apr 23, 2021 11:48 pm Has Microsoft ever changed/patched the functionality of the builtin *.zip handler ?
Were you able to call it before via comandline or powershell (with arguments) and cannot due so anymore due to patches ?
Most Microsoft patchlogs are generic as *flip* .. so they are not transparent either.
Again, not defending QNAP, but they are not the only ones doing that
Last edited by jbennett360 on Sat Apr 24, 2021 12:08 am, edited 2 times in total.
- infotecmb
- Starting out
- Posts: 24
- Joined: Thu Sep 03, 2015 11:46 am
- Location: Canada
Re: Sneaky QNAP - disturbing AF!
jbennett360 wrote: ↑Fri Apr 23, 2021 11:56 pmDo we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?infotecmb wrote: ↑Fri Apr 23, 2021 10:49 pm It is unclear what is the vector attack of the current Qlocker because the attack started 3 days later after all currently known security holes were patched.
Code: Select all
Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync
Release date: April 22, 2021
Security ID: QSA-21-13
Severity: Critical
CVE identifier: CVE-2021-28799
V2.0 (April 23, 2021) - Revise Acknowledgements
V1.0 (April 22, 2021) - Published
Do we have anyone who has 16.0.0415 HBS 3 Hybrid Backup Sync installed but affected by ransomware?
-
- Getting the hang of things
- Posts: 65
- Joined: Tue Aug 08, 2017 1:04 am
Re: Sneaky QNAP - disturbing AF!
That's what I'm thinking. It started 3 days after this was pushed out.infotecmb wrote: ↑Sat Apr 24, 2021 12:04 amjbennett360 wrote: ↑Fri Apr 23, 2021 11:56 pmDo we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?infotecmb wrote: ↑Fri Apr 23, 2021 10:49 pm It is unclear what is the vector attack of the current Qlocker because the attack started 3 days later after all currently known security holes were patched.Fixed in 16.0.0415 on April 16, 2021 3 days before the attack.Code: Select all
Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync Release date: April 22, 2021 Security ID: QSA-21-13 Severity: Critical CVE identifier: CVE-2021-28799 V2.0 (April 23, 2021) - Revise Acknowledgements V1.0 (April 22, 2021) - Published
Do we have anyone who has 16.0.0415 HBS 3 Hybrid Backup Sync installed but affected by ransomware?
Are they targeting people who weren't updated to the latest version
Is anyone affected who knew for sure that they had this version installed.
Surely that should then narrow things down, possibly?
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
it only works if ransomware is infecting your clients and they go rogue on the writeable network shares
if the malware infects the NAS, then all bets are off (obviously)
-
- Know my way around
- Posts: 136
- Joined: Mon Aug 13, 2018 4:58 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
https://www.qnap.com/en/app_releasenote ... bridBackup
HBS 3 Hybrid Backup Sync 3.0.210412
( 2021/04/23 )
[Security Updates]
- Fixed a credential vulnerability.
- Fixed two command injection vulnerabilities.
HBS 3 Hybrid Backup Sync 16.0.0419
( 2021/04/22 )
[Fixed Issues]
- After restarting the NAS, the RTRR server would not function properly.
HBS 3 Hybrid Backup Sync 3.0.210412
( 2021/04/23 )
[Security Updates]
- Fixed a credential vulnerability.
- Fixed two command injection vulnerabilities.
HBS 3 Hybrid Backup Sync 16.0.0419
( 2021/04/22 )
[Fixed Issues]
- After restarting the NAS, the RTRR server would not function properly.
- Razorblade
- Starting out
- Posts: 11
- Joined: Thu Apr 22, 2021 7:14 pm
Re: Sneaky QNAP - disturbing AF!
I was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.jbennett360 wrote: ↑Fri Apr 23, 2021 11:56 pm Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?
-
- Getting the hang of things
- Posts: 65
- Joined: Tue Aug 08, 2017 1:04 am
Re: Sneaky QNAP - disturbing AF!
Hmm. Maybe it's nothing to do with HBS3 then, (the initial statement from QNAP did say this.) If you're sure you had 0415 version of HBS3 installed.Razorblade wrote: ↑Sat Apr 24, 2021 12:30 amI was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.jbennett360 wrote: ↑Fri Apr 23, 2021 11:56 pm Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?
Guessing your NAS was exposed and that's how they got in?
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.
You do not have the required permissions to view the files attached to this post.
-
- Know my way around
- Posts: 136
- Joined: Mon Aug 13, 2018 4:58 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
no need to cut unplugg as a frist step also workselvisimprsntr wrote: ↑Sat Apr 24, 2021 12:47 am Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.scissors-cutting-computer-ethernet-network-cable-23301676.jpg
until people follow the advices about disabling UPNP and so on, then can connect it again
- infotecmb
- Starting out
- Posts: 24
- Joined: Thu Sep 03, 2015 11:46 am
- Location: Canada
Re: Sneaky QNAP - disturbing AF!
Please go to "QuLog Center" and search for "Installed Hybrid Backup" in "System Event Log":Razorblade wrote: ↑Sat Apr 24, 2021 12:30 amI was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.jbennett360 wrote: ↑Fri Apr 23, 2021 11:56 pm Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?
this way you can find when the patched version of HBS was (or not) installed.
You do not have the required permissions to view the files attached to this post.
-
- Getting the hang of things
- Posts: 65
- Joined: Tue Aug 08, 2017 1:04 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
Aye. Only cut in rage!syncthing wrote: ↑Sat Apr 24, 2021 12:51 amno need to cut unplugg as a frist step also workselvisimprsntr wrote: ↑Sat Apr 24, 2021 12:47 am Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.scissors-cutting-computer-ethernet-network-cable-23301676.jpg
until people follow the advices about disabling UPNP and so on, then can connect it again
Correct. The four/five things that have been mentioned a million times in this thread. (disable UPnP Nas/Router, Disable/Don't user myQNAPcloud, Don't port forward)
Then obviously updates too.
-
- Know my way around
- Posts: 136
- Joined: Mon Aug 13, 2018 4:58 pm
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
to be honest usually I wait some time, to check if the firmware gets cancelled or they make some lite/premium stuff and so on
-
- Easy as a breeze
- Posts: 488
- Joined: Fri Mar 31, 2017 7:09 am
Re: Sneaky QNAP - disturbing AF!
The change you refer to is to offer better protection from Qlocker.
-
- First post
- Posts: 1
- Joined: Sat Apr 24, 2021 6:27 am
Re: [RANSOMWARE] 4/20/2021 - QLOCKER
I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?