[RANSOMWARE] Deadbolt

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Sevenfeet
Starting out
Posts: 15
Joined: Sat Jul 24, 2021 11:44 pm

Re: [RANSOMWARE] Deadbolt

Post by Sevenfeet » Fri Jan 28, 2022 12:00 am

nimblefinger5 wrote:
Thu Jan 27, 2022 11:42 pm
according to the release notes for the last firmware the following CVE's were patched. Any ideas if they could have caused any of the attack vector's in previous firmware

CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25722, CVE-2021-3738, CVE-2020-25721, and CVE-2021-23192

They all look related to samba escalations, just curious if samba is used for authentication onto the admin on the NAS as opposed to just samba for SMB connections
They are all Samba related issues which means that when QNAP did their most recent update of Samba, all of these things got fixed. Not sure if any of these has anything to do with it though but many of these flaws only became public in November 2021 (even the old 2016 one which tells me it's an old bug that wasn't discovered until recently).

Bankbiljet
First post
Posts: 1
Joined: Thu Jan 27, 2022 11:13 pm

Re: [RANSOMWARE] Deadbolt

Post by Bankbiljet » Fri Jan 28, 2022 12:01 am

Ok.. in short... a lot a the files on my NAS (TS-453A) are infected. I don't think Qnap wil pay the ransom to get the mainkey.
In the meantime, I turned off the NAS so no more files will be encrypted.
I'm afraid that all my files are lost, or I have to pay..
Or is there in Holland a company or person who can help..

jswain
New here
Posts: 9
Joined: Tue Jul 05, 2016 5:32 pm

Re: [RANSOMWARE] Deadbolt

Post by jswain » Fri Jan 28, 2022 12:02 am

Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?

User avatar
dolbyman
Guru
Posts: 27377
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman » Fri Jan 28, 2022 12:12 am

Bankbiljet wrote:
Fri Jan 28, 2022 12:01 am
Ok.. in short... a lot a the files on my NAS (TS-453A) are infected.
They are encrypted not infected ... try to recover them with the qrescue program (after malware remover has removed the active infection)

https://www.qnap.com/static/landing/202 ... rescue/en/

Then kill the NAS and start from scratch .. have backups in the future ..

User avatar
dolbyman
Guru
Posts: 27377
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman » Fri Jan 28, 2022 12:13 am

jswain wrote:
Fri Jan 28, 2022 12:02 am
Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909

jswain
New here
Posts: 9
Joined: Tue Jul 05, 2016 5:32 pm

Re: [RANSOMWARE] Deadbolt

Post by jswain » Fri Jan 28, 2022 12:17 am

dolbyman wrote:
Fri Jan 28, 2022 12:13 am
jswain wrote:
Fri Jan 28, 2022 12:02 am
Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?
Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909
Yes, but a bit here and bit there, all over the shop, if there were a simple step by step in one place there is a good chance people would use it instead of waiting for QNAP.

dgagnon
Starting out
Posts: 15
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon » Fri Jan 28, 2022 12:17 am

Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3.

This means the reported vulnerability (https://www.qnap.com/en/security-advisory/qsa-21-57) is not the one being exploited right now.

We only have QVPN and the WebUI open to the internet, so it has to be through one of these two services.

User avatar
dolbyman
Guru
Posts: 27377
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman » Fri Jan 28, 2022 12:21 am

WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh

dgagnon
Starting out
Posts: 15
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon » Fri Jan 28, 2022 12:29 am

dolbyman wrote:
Fri Jan 28, 2022 12:21 am
WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh
Agreed, that's why we have snapshots and offsite backups; know your risks and mitigate. But with no one at the office anymore, not having the webui available makes it really have to manage the nas.

We use VPN for other stuff. I had to disable OpenVPN completely a few weeks back because we got compromised through it ( shell expansion....like, seriously QNAP, that's like a 10yo exploit ). QNAP needs to remove all marketing regarding using these devices online for the common people. No way most SMBs understand the risks involved.
Last edited by dgagnon on Fri Jan 28, 2022 12:31 am, edited 1 time in total.

User avatar
dolbyman
Guru
Posts: 27377
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman » Fri Jan 28, 2022 12:30 am

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense

dgagnon
Starting out
Posts: 15
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon » Fri Jan 28, 2022 12:32 am

dolbyman wrote:
Fri Jan 28, 2022 12:30 am
Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.

Kal Rubinson
New here
Posts: 3
Joined: Tue Apr 22, 2014 8:54 am

Re: [RANSOMWARE] Deadbolt

Post by Kal Rubinson » Fri Jan 28, 2022 12:38 am

dolbyman wrote:
Thu Jan 27, 2022 11:52 pm
Leaving the system as is would be crazy...reinfection could be only a matter of time
kill the NAS..restore from backups (has been said many times throughout the thread)
and of course disable all port forwards and upnp
Of course but now with a bit less urgency. My backups are remotely located.
SimonKenoby wrote:
Thu Jan 27, 2022 11:54 pm
The good thing for me is that encrypted files are not the important one, the bad thing is as they are not important I didn't had any backup like the more important...
How did you identify those files as encrypted?

kavaa
First post
Posts: 1
Joined: Fri Jan 28, 2022 12:40 am

Re: [RANSOMWARE] Deadbolt

Post by kavaa » Fri Jan 28, 2022 12:41 am

We have a client that has this issue, but no instructions file.

Not in the shares nor /mnt/HDA_ROOT etc.



Anyone an idea where to search?

We also searched with find etc. to look in files for bitcoin etc. but no luck.



Some files are not encrypted... But the most part is...

User avatar
dolbyman
Guru
Posts: 27377
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [RANSOMWARE] Deadbolt

Post by dolbyman » Fri Jan 28, 2022 12:46 am

dgagnon wrote:
Fri Jan 28, 2022 12:32 am
dolbyman wrote:
Fri Jan 28, 2022 12:30 am
Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.
Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS

dgagnon
Starting out
Posts: 15
Joined: Fri Jan 28, 2022 12:06 am

Re: [RANSOMWARE] Deadbolt

Post by dgagnon » Fri Jan 28, 2022 1:02 am

dolbyman wrote:
Fri Jan 28, 2022 12:46 am
dgagnon wrote:
Fri Jan 28, 2022 12:32 am
dolbyman wrote:
Fri Jan 28, 2022 12:30 am
Why would you not use the VPN do manage the NAS? .. sorry that makes no sense
Because the service sometimes crashes and we have to reboot the nas.
Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS
Mine never crash either. But that's legacy stuff I inherited. I am not retraining 25 tech-illiterates employees on how to use a different vpn configuration, plus adding additional systems that need to be managed ( i.e. redundant pfSense or openvpn AS ). I understand the risks, they are mitigated and I've said so. What are you harping about? I don't see any added value to your comment, you are just repeating the same thing over while complaining other are asking for things to be repeated O_o ?

I am reporting this information to assist QNAP and other users in identifying the source of the compromise.

More over, QNAP advertises these as internet-connected devices. If that is not true, then it's false advertising and they open themselves to suits. I run hundreds of internet facing web applications. It is doable and all it takes is a bit of security engineering.

Post Reply

Return to “Users' Corner”