[RANSOMWARE] Qlocker

[dolbyman]

What recommendations do you want ? Did you read the thread ? .. Without backups or ransom payment your are (currently) SOL

[dolbyman]

So, it would seem QNAP has quietly and unceremoniously replaced /usr/local/sbin/7z on people's NASes without any sort on communication to that effect. This is just another confirmation that QNAP has become a sketchy AF company.

The change you refer to is to offer better protection from Qlocker.

I think he knows that, it was probably the missing info in the change-log that certain "mitigations" are applied

[Eternic]

Just so we can all understand the attack vector, this is my understanding:

1. QNAP fixed some SQL/Command injection vulnerabilities in February in the QTS firmware, Multimedia Console and Media Streaming Add-On but this wasn't mentioned in the update notes for those versions
2. On April 16 they released a Security Advisory telling people about this issue and that people needed these versions from February to be secure. One for the apps and one for the firmware.
3. Also on April 16 they released an update fixing injection vulnerabilities as well as a hard-coded credential issue in HBS 3 Hydrid Backup Sync but did not mention this anywhere outside the update notes

Perhaps the vulnerabilities were fixed in February and they chose not to mention them for a couple of months to avoid alerting bad actors until most people would have updated to secure versions. They didn't do the same with HBS 3 though, which is an application that would run on your NAS whether you'd ever opened it and set anything up in it or not. In fact you could say they instead did the following on April 16:
"Hey Bad Guys, there's an injection vulnerability in older firmware and Multimedia Console which we don't let people uninstall. We fixed these a couple of months ago, but if you check the update notes for HBS 3 which we only just fixed today, you'll see it has the same or similar issues and we haven't told anyone about it outside of those update notes. Enjoy!"

QNAP claim the hard-coded credentials in HBS 3 haven't been used, but point to the SQL Injection issue in the older firmware and Multimedia Console as the problem. Many, myself included, had these up to date at the time of the attack, but not the April 16 update of HBS 3. They did say to update HBS 3 afterwards in response to this attack, but still never released a Security Advisory about its injection issue. After the ransomware had started they put one out about the hard-coded credentials issue, but left out the injection issue.

I'm happy to be proven incorrect about any of this.

In regards to whether the HBS 3 vulnerability was the issue for most people, this was my last post about it. I'm still of the belief that it was the HSB 3 injection issue that was fixed 3 days before the attack and not the hard-coded credentials issue was that attack vector for most if not all people hit. I haven't seen anyone that I trust to give a correct answer say that they had HBS 3 version 16.0.0415 or didn't have HBS 3 installed before the attack. Even I made the mistake initially of thinking I had it up to date before I checked the event logs and saw I'd updated it between being attacked and realising I'd been attacked. It could also be the hard-coded credentials issue, but the only reason to suspect it isn't is taking QNAP at their word that it wasn't and they're not necessarily reliable right now.

I almost think they've been purposely obfuscating the fact that the injection vulnerability was in HBS 3 with how they usually only mention the old firmware and Multimedia Console updates, etc and their lack of mention about it in a Security Advisory. Most people I've seen have been pointing at the credentials issue in HBS 3.

[Mousetick]

I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?

Recommendation from the peanut gallery: turn the NAS back on, as soon as it's up, update Malware Remover and run it if it hasn't run automatically after the update. Then wait and hope that the ransomware will resume(*) encrypting files on your NAS.

This is not a joke. When you run the latest Malware Remover, it installs a "trap" that records the names of all files being encrypted, the encryption password, and skips the encryption. But for this to work, at least one encryption call has to be made to trigger the trap.

(*) Assuming you shut your NAS down while the ransomware was doing its job.

You can monitor whether the trap has caught anything by SSHing to the NAS and looking at the contents of the directory(*)

Code: Select all

/share/CACHEDEV1_DATA/.qpkg/MalwareRemover

and see if it contains a file named 7z.log, which you can copy elsewhere and open in a text editor.

(*) Assuming your System Volume is the first one, if not substitute CACHEDEV1_DATA with the corresponding volume name.

If there is nothing logged after quite a while, you're out of luck. The ransomware had finished its job by the time you shut down the NAS, or never resumed its job after you turned it back on. You will not be able to find out what password was used to encrypt your files.

[dolbyman]

nice feature....you would think they would loud and proud advertise this ..no ?

[Mousetick]

nice feature....you would think they would loud and proud advertise this ..no ?

They do... sort of.

viewtopic.php?f=45&t=160849&start=225#p787279

If you follow the manual installation steps posted at the KB article and download the linked 7z file, it's a small shell script that's a slightly modified version of what Malware Remover installs (the version installed by Malware Remover was posted by @jaysona some time earlier in this thread). You can open this script and see what it does, there's no secret.

On the other hand the QNAP rep on reddit says:

This is a hard one. You want more transparency on what malware remover is doing to your NAS. But the more transparent we are about how malware remover works, the more that information can be used against us in this hack attempt.

So at this time, we likely won't say much about what malware remover is doing. We are trying our best to stop this attack with Malware Remover and we won't say much about how exactly malware remover fighting Qlocker. Maybe in the future, we can say more. What I can say for now is the change being referred to is our attempt to fight Qlocker.

I think the lack of transparency from QNAP at this time may be due to not knowing for sure what vulnerability is being or has been exploited. The 7z "trap" walks up the process tree to find out from which (possibly QTS, if this is a command injection) program the encryption attack is launched.

[Mousetick]

I didn't read the advice and I shut down the NAS. Any Idea how to proceed now I have bypassed unknown recommendations?

Recommendation from the peanut gallery: ...
<snip>

On second thought, the chances that this would succeed are quite slim. By shutting down the NAS, you likely made the malware go "poof" as it may not have been installed in a persistent location on the NAS. So in order for the encryption to resume, and as strange as this may sound, the NAS would need to be re-infected. In other words it would need to present exactly the same configuration and vulnerabilities that it had when it was first compromised. No change in configuration on the router side, no security or firmware updates on the NAS side. And on top of that, whatever botnet is launching the attacks would have to reconsider the NAS as a potential target. It may have already flagged it as "done", in which case it might not retry it ever.

[One2go]

Been following this thread here and the one on the Bleeping Computer and can't quite make out what was the cause and how it happened and it looks like many others are also scratching their head since there is no definitive statement on what was the cause for this. That it could have come through several different avenues does not speak well for QNAP as is also evident by the furious disposition by many who have lost data and now have to spend money & time to get back where they were a few days ago.

I have three QNAO NASs and neither is infected and will give my configuration before and what I have done since I first came to know of the ransom attack. All three NASs are running Raid 1 to protect from disc failure therefore never backed them up. Nothing irreplaceable is stored on them, but I do run an Emby server on one of them and love it hate loose the metadata and will back that one up through a plugin.

First off my Router had the settings for UPnP hidden and so it was on by default. Since the attack UPnP has been turned off after Googling where to find the setting. Also port forwarding was present, admin was User Name but had a very difficult password and after 5 unsuccessful login attempts IP address was banned for a day. No such failed login attempts were recorded. This was the case for all three NASs and I know this is not very secure. However I don't understand where some of these risky apps come from like multimedia console can't find it on any of the NASs were they part of a newer firmware and thus installed and enabled by default?

First NAS a TS-239 Pro which is EOL now, it was running QTS version 4.2.6 (2018-10-26) had QSync Central & MyQNAPCloud enabled but had none of the other dodgy apps. After knowing of the attack UPnP, QSync Central & MyQNAPCloud were disabled and QTS is now version 4.2.6 Date: 2021/03/27. However the Malware Remover is version 3.6.0.2 nothing newer because I believe EOL is the reason.

Second NAS a TS-253 Pro was running QTS 4.3.6.0895 (2019-03-28) with MyQNAPCloud & UPnP enabled. QSync Central, Hybrid Backup and Media Streaming Add-On were not installed and I couldn't find the Multimedia Console anywhere. After knowing of the attack UPnP & MyQNAPCloud were disabled and have not changed the QTS version yet. The Malware Remover is version 3.6.1.1 now.

Third NAS a TS-253Be was running QTS 4.3.6.0867 (2019-02-28) with MyQNAPCloud & UPnP enabled. QSync Central, Hybrid Backup and Media Streaming Add-On were not installed and also I couldn't find the Multimedia Console anywhere. After knowing of the attack UPnP & MyQNAPCloud were disabled and have not changed the QTS version yet. The Malware Remover is version 3.6.1.1 now.

The TS-239 Pro has been running 24/7 since July 2009 and the others also for a few years. Never a single hiccup just just doing the job I bought them for. The reason I am hesitant to update the firmware is, because it could break some of my configuration or I have no idea what kind of Trojan horse QNAP put into the newer firmware. So until some of the fog lifts and we have a better idea what QNAP has done what we are confronted with and what we can expect, I am very hesitant to do any further changes.

I created a new Admin login account and than disabled the fault admin account, immediately the IP address of the PC that I used to make the changes was banned. Removed it, banned again. Left the default admin account enabled no longer PC's IP address being banned. That is one I will follow up on.

One positive thing of this whole debacle, my knowledge of Linux has greatly increased which I really didn't want since everything was running just fine.

[Moogle Stiltzkin]

anyone know what this is about? user claims he didn't expose nas but he got infected somehow?
https://www.reddit.com/r/qnap/comments/ ... &context=3

[dolbyman]

reads as if that user mistook the presence of 7z, with an infection

[jbennett360]

anyone know what this is about? user claims he didn't expose nas but he got infected somehow?
https://www.reddit.com/r/qnap/comments/ ... &context=3

Yeah I'd seen that.

I'm not buying it. I mean how else can the NAS be exploited if it can't be accessed from outside the LAN. It doesn't make any sense?

UPnP must have been enabled somewhere, or ports must have been forwarded.

It's the first one I've seen where that's been claimed too, so, I'd take it with a pinch of salt.

Edit: Not even sure he's been affected judging by another comment

Tbh, this latest thing has really caused me to reconsider using QNAP, I have a level of anxiety and apprehension that does not make me feel good. I have my files backed-up, but I am still nervous that I'll wake up one morning to a hacked NAS and a headache I would not want to deal with.

[oNFUsKYO]

A lot of you are giving QNAP too much credit and are almost "defending" this company... Please stop. It should NEVER be the end-user's fault for getting infected using (or not using) QNAP's own basic functionality/features. The end-user should not be getting blamed for attacks like these when it was one of QNAP's sole responsibilities to ensure the safety and security of all their users - from the front-end to the back-end. Unfortunately we were all failed by QNAP, who neglected to provide adequate protection and/or timely information to all of their users. There were no mass emails from this company urging people to upgrade the vulnerable apps - automatic updates/patches were not available (what if some of us could not get to our devices to update them manually in time?) - and very little effort was put towards ensuring the built-in functions of QNAP's devices did not contain backdoor-like entry-points. QNAP, in fact - did everything in their power to expose and endanger their userbase by forcing all sorts of bloat and unwanted/unneeded applications with each firmware upgrade. The blame falls on QNAP for failing to protect us. The end-user was (most likely) looking for a storage solution, but QNAP added backdoors and all sorts of Internet functionality to their storage devices that ~90%+ of users would never need to use.

[syncthing]

I think the lack of transparency from QNAP at this time may be due to not knowing for sure what vulnerability is being or has been exploited. The 7z "trap" walks up the process tree to find out from which (possibly QTS, if this is a command injection) program the encryption attack is launched.

looks like they don't know what the attack vector is ...
as right now the 7z script logs the process, how does qnap get this information later, can we assume that the malwareremover calls home and sending it - or will they only get it if some user ask them for help after his device got infected?

[Moogle Stiltzkin]

It's the first one I've seen where that's been claimed too, so, I'd take it with a pinch of salt.

agreed. i suspect there is more to it so i'll just wait and see for now

[Razorblade]

A lot of you are giving QNAP too much credit and are almost "defending" this company... Please stop. It should NEVER be the end-user's fault for getting infected using (or not using) QNAP's own basic functionality/features. The end-user should not be getting blamed for attacks like these when it was one of QNAP's sole responsibilities to ensure the safety and security of all their users - from the front-end to the back-end. Unfortunately we were all failed by QNAP, who neglected to provide adequate protection and/or timely information to all of their users. There were no mass emails from this company urging people to upgrade the vulnerable apps - automatic updates/patches were not available (what if some of us could not get to our devices to update them manually in time?) - and very little effort was put towards ensuring the built-in functions of QNAP's devices did not contain backdoor-like entry-points. QNAP, in fact - did everything in their power to expose and endanger their userbase by forcing all sorts of bloat and unwanted/unneeded applications with each firmware upgrade. The blame falls on QNAP for failing to protect us. The end-user was (most likely) looking for a storage solution, but QNAP added backdoors and all sorts of Internet functionality to their storage devices that ~90%+ of users would never need to use.

Totally agree. Makes no sense to blame a user because "you have your NAS connected to the Internet and you didn't manually uninstall all these apps, you didn't disable these features, you didn't.....". Well, yeah, this device was suuposed to be connected to the Internet, until I turns out that QNAP is a lame company with an unreliable product and incompetent engineers.
The result? $500 personal loss (not to mention the wasted time). Thank you QNAP. I'll never buy again.