[RANSOMWARE] >>READ 1st Post<< Deadbolt

[Sevenfeet]

according to the release notes for the last firmware the following CVE's were patched. Any ideas if they could have caused any of the attack vector's in previous firmware

CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25722, CVE-2021-3738, CVE-2020-25721, and CVE-2021-23192

They all look related to samba escalations, just curious if samba is used for authentication onto the admin on the NAS as opposed to just samba for SMB connections

They are all Samba related issues which means that when QNAP did their most recent update of Samba, all of these things got fixed. Not sure if any of these has anything to do with it though but many of these flaws only became public in November 2021 (even the old 2016 one which tells me it's an old bug that wasn't discovered until recently).

[Bankbiljet]

Ok.. in short... a lot a the files on my NAS (TS-453A) are infected. I don't think Qnap wil pay the ransom to get the mainkey.
In the meantime, I turned off the NAS so no more files will be encrypted.
I'm afraid that all my files are lost, or I have to pay..
Or is there in Holland a company or person who can help..

[jswain]

Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?

[dolbyman]

Ok.. in short... a lot a the files on my NAS (TS-453A) are infected.

They are encrypted not infected ... try to recover them with the qrescue program (after malware remover has removed the active infection)

https://www.qnap.com/static/landing/202 ... rescue/en/

Then kill the NAS and start from scratch .. have backups in the future ..

[dolbyman]

Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?

Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909

[jswain]

Hi,

Can someone post a step by step guide for removing deadbolt from a NAS 451 (or similar) instead of requesting for QNAP to remote connect and do it? Do you have to ssh in to the box?

Has been explained many times in this thread .. it's a forum not a chat

viewtopic.php?f=45&t=164797&start=165#p808909

Yes, but a bit here and bit there, all over the shop, if there were a simple step by step in one place there is a good chance people would use it instead of waiting for QNAP.

[dgagnon]

Confirmed getting hit with deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3.

This means the reported vulnerability (https://www.qnap.com/en/security-advisory/qsa-21-57) is not the one being exploited right now.

We only have QVPN and the WebUI open to the internet, so it has to be through one of these two services.

[dolbyman]

WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh

[dgagnon]

WebUi is the worst thing to have exposed .. might aswell forget about VPN altogether at this point .. smh

Agreed, that's why we have snapshots and offsite backups; know your risks and mitigate. But with no one at the office anymore, not having the webui available makes it really have to manage the nas.

We use VPN for other stuff. I had to disable OpenVPN completely a few weeks back because we got compromised through it ( shell expansion....like, seriously QNAP, that's like a 10yo exploit ). QNAP needs to remove all marketing regarding using these devices online for the common people. No way most SMBs understand the risks involved.

[dolbyman]

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense

[dgagnon]

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense

Because the service sometimes crashes and we have to reboot the nas.

[Kal Rubinson]

Leaving the system as is would be crazy...reinfection could be only a matter of time
kill the NAS..restore from backups (has been said many times throughout the thread)
and of course disable all port forwards and upnp

Of course but now with a bit less urgency. My backups are remotely located.

The good thing for me is that encrypted files are not the important one, the bad thing is as they are not important I didn't had any backup like the more important...

How did you identify those files as encrypted?

[kavaa]

We have a client that has this issue, but no instructions file.

Not in the shares nor /mnt/HDA_ROOT etc.



Anyone an idea where to search?

We also searched with find etc. to look in files for bitcoin etc. but no luck.



Some files are not encrypted... But the most part is...

[dolbyman]

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense

Because the service sometimes crashes and we have to reboot the nas.

Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS

[dgagnon]

Why would you not use the VPN do manage the NAS? .. sorry that makes no sense

Because the service sometimes crashes and we have to reboot the nas.

Move the service to a dedicated appliance (firewall, raspi) .. my VPN never crash ... fix your issues, before you give up and invite the world to infect your NAS

Mine never crash either. But that's legacy stuff I inherited. I am not retraining 25 tech-illiterates employees on how to use a different vpn configuration, plus adding additional systems that need to be managed ( i.e. redundant pfSense or openvpn AS ). I understand the risks, they are mitigated and I've said so. What are you harping about? I don't see any added value to your comment, you are just repeating the same thing over while complaining other are asking for things to be repeated O_o ?

I am reporting this information to assist QNAP and other users in identifying the source of the compromise.

More over, QNAP advertises these as internet-connected devices. If that is not true, then it's false advertising and they open themselves to suits. I run hundreds of internet facing web applications. It is doable and all it takes is a bit of security engineering.