[RANSOMWARE] Qlocker

[jacobite1]

btw

turns out a) is done, snapshots are purged by the malware according to reddit

Kinda terrifying it managed to overwrite/purge snapshots considering they're supposed to be immune to 'this kind of thing' and a lot of people use them as ransomware protection.

[jbennett360]

Has Microsoft ever changed/patched the functionality of the builtin *.zip handler ?

Were you able to call it before via comandline or powershell (with arguments) and cannot due so anymore due to patches ?

Most Microsoft patchlogs are generic as *flip* .. so they are not transparent either.

Again, not defending QNAP, but they are not the only ones doing that

I am not fan of Micro$oft Winblows by any stretch, but at least M$ publishes their security patches in advance, provide a modicum of documentation with their KB articles and provide the user the option to download and apply the patch on the users terms vs just silently and surreptitiously making changes.

How many of your devices were affected, guessing you know how they got in too?

[infotecmb]

It is unclear what is the vector attack of the current Qlocker because the attack started 3 days later after all currently known security holes were patched.

Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?

Code: Select all

Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync
    Release date: April 22, 2021
    Security ID: QSA-21-13
    Severity: Critical
    CVE identifier: CVE-2021-28799
    V2.0 (April 23, 2021) - Revise Acknowledgements
    V1.0 (April 22, 2021) - Published

Fixed in 16.0.0415 on April 16, 2021 3 days before the attack.

Do we have anyone who has 16.0.0415 HBS 3 Hybrid Backup Sync installed but affected by ransomware?

[jbennett360]

It is unclear what is the vector attack of the current Qlocker because the attack started 3 days later after all currently known security holes were patched.

Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?

Code: Select all

Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync
    Release date: April 22, 2021
    Security ID: QSA-21-13
    Severity: Critical
    CVE identifier: CVE-2021-28799
    V2.0 (April 23, 2021) - Revise Acknowledgements
    V1.0 (April 22, 2021) - Published

Fixed in 16.0.0415 on April 16, 2021 3 days before the attack.

Do we have anyone who has 16.0.0415 HBS 3 Hybrid Backup Sync installed but affected by ransomware?

That's what I'm thinking. It started 3 days after this was pushed out.

Are they targeting people who weren't updated to the latest version
Is anyone affected who knew for sure that they had this version installed.

Surely that should then narrow things down, possibly?

[dolbyman]

Kinda terrifying it managed to overwrite/purge snapshots considering they're supposed to be immune to 'this kind of thing' and a lot of people use them as ransomware protection.

it only works if ransomware is infecting your clients and they go rogue on the writeable network shares

if the malware infects the NAS, then all bets are off (obviously)

[syncthing]

https://www.qnap.com/en/app_releasenote ... bridBackup

HBS 3 Hybrid Backup Sync 3.0.210412
( 2021/04/23 )
[Security Updates]
- Fixed a credential vulnerability.
- Fixed two command injection vulnerabilities.

HBS 3 Hybrid Backup Sync 16.0.0419
( 2021/04/22 )
[Fixed Issues]
- After restarting the NAS, the RTRR server would not function properly.

[Razorblade]

Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?

I was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.

[jbennett360]

Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?

I was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.

Hmm. Maybe it's nothing to do with HBS3 then, (the initial statement from QNAP did say this.) If you're sure you had 0415 version of HBS3 installed.

Guessing your NAS was exposed and that's how they got in?

[elvisimprsntr]

Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.

scissors-cutting-computer-ethernet-network-cable-23301676.jpg

[syncthing]

Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.scissors-cutting-computer-ethernet-network-cable-23301676.jpg

no need to cut unplugg as a frist step also works
until people follow the advices about disabling UPNP and so on, then can connect it again

[infotecmb]

Do we know if people who have been affected had all apps current and up to date? The HBS3 vulnerability been less than a week old, so could it be that they all weren't running that patched version?

I was affected and I had all the software up to date at the attack moment. In fact I installed the latest firmware update just a few days ago.

Please go to "QuLog Center" and search for "Installed Hybrid Backup" in "System Event Log":

qulog.PNG

this way you can find when the patched version of HBS was (or not) installed.

[jbennett360]

Only sure way to protect your NAS until you are fully versed how to harden your NAS and network.scissors-cutting-computer-ethernet-network-cable-23301676.jpg

no need to cut unplugg as a frist step also works
until people follow the advices about disabling UPNP and so on, then can connect it again

Aye. Only cut in rage!

Correct. The four/five things that have been mentioned a million times in this thread. (disable UPnP Nas/Router, Disable/Don't user myQNAPcloud, Don't port forward)

Then obviously updates too.

[syncthing]

Then obviously updates too.

to be honest usually I wait some time, to check if the firmware gets cancelled or they make some lite/premium stuff and so on

[QNAPDanielFL]

So, it would seem QNAP has quietly and unceremoniously replaced /usr/local/sbin/7z on people's NASes without any sort on communication to that effect. This is just another confirmation that QNAP has become a sketchy AF company.

The change you refer to is to offer better protection from Qlocker.

[parkzone]

I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?