QNAP Ransomware Attack - April 2021

[leonardow9]

Apologies in advance if this is formatted wrong but the community should know about this.

 

Summary

In short there is an ongoing global Ransomware attack affecting QNAP devices using a remote access exploit. Files are being are encrypted via password protected 7-Zip Files.

 

Quotes

Quote

A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.

The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. Since then, there has been an enormous amount of activity in our support forum, and ID-Ransomware has seen a surge of submissions from victims.

 

 

My thoughts

More posting this as a PSA style post since there will be people affected such as a person who I was beta-testing for. You can find there thoughts here: https://www.youtube.com/watch?v=S_4p68lDWfA (Language warning as he is less than happy)

In short they are far from impressed that this was first an exploit in the first place and that his NAS was internet facing without his knowledge. 

 

Sources

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/

[Arika]

I feel like this has happened before to QNAP, or something very very similar.

 

If i ever get a NAS box, i have no intention of connecting it to the internet. It will be a purely LAN interface

[leonardow9]

5 minutes ago, Arika S said:

I feel like this has happened before to QNAP, or something very very similar.

 

If i ever get a NAS box, i have no intention of connecting it to the internet. It will be a purely LAN interface

Yup, a little google shows there has been hacks in the past.

What infuriates me is that these storage boxes are advertised as user friendly or home based solutions yet are riddled with exploits and require knowledge rivalling someone who has studied CS, Networks and IT.

[Guest]

35 minutes ago, Arika S said:

I feel like this has happened before to QNAP, or something very very similar.

 

If i ever get a NAS box, i have no intention of connecting it to the internet. It will be a purely LAN interface

Yeah, it happens quite a bit to these NASes with internet services. Happened to Synology boxes in 2019 with a dictionary attack and this specific one covers more than just QNAPs. Terramasters were also hit earlier this month by a UPnP vulnerability.

[Arika]

1 minute ago, gabrielcarvfer said:

Even then, what if you have a compromised device on your LAN? Online storage is literally waiting for a disaster to happen :x

Then everything else is already at risk. i doubt they'd just go for the NAS box.

[dalekphalm]

Has the exploit been patched already? Does QNAP know of the exploit?

[Guest]

1 minute ago, dalekphalm said:

Has the exploit been patched already? Does QNAP know of the exploit?

Yes and yes. Though they have some models out of the support cycle that they plan to release a patch for soon.

They were notified via normal support channels back on October, but it was not acted on. Likely because their ticketing software is not equipped to handle stuff like that.

Companies like this really need a dedicated, easily accessible security hotline/email/point of contact. And ideally, bug bounty programs.

[Fasterthannothing]

NAS system's for home users are a joke anyway and really shouldn't be a product. No average person who thinks password123 is secure should be allowed to own their own cloud storage system. Every NAS needs to be behind a firewall and if you decide it needs to be on the open web you sure as heck better know what your doing. Better yet let's honestly get rid of UPnP for good so people have to manually open ports. I'm not joking by the way. 

[WereCatf]

13 minutes ago, SlidewaysZ said:

Better yet let's honestly get rid of UPnP for good so people have to manually open ports.

I, for one, don't wanna get rid of UPnP.

[bcredeur97]

2 hours ago, dalekphalm said:

Has the exploit been patched already? Does QNAP know of the exploit?

Yes, QNAP says it's these two vulns the attackers are exploiting:

• CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
• CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On

[dalekphalm]

2 hours ago, bcredeur97 said:

Yes, QNAP says it's these two vulns the attackers are exploiting:

• CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
• CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On

Well we went ahead and updated our infrastructure just in case, so that's a relief.

[Fasterthannothing]

5 hours ago, WereCatf said:

I, for one, don't wanna get rid of UPnP.

Why what benefits do you get? Besides allowing every IoT device to be accessable from the internet by default.

[WereCatf]

1 minute ago, SlidewaysZ said:

Why what benefits do you get?

I don't have to bother with manual port-forwarding, obviously.

2 minutes ago, SlidewaysZ said:

Besides allowing every IoT device to be accessable from the internet by default.

I don't buy ready-made IoT-devices, so no. Also, I have a separate, restricted VLAN for such devices anyways, should I ever need such.

[Fasterthannothing]

2 hours ago, WereCatf said:

I don't have to bother with manual port-forwarding, obviously.

I don't buy ready-made IoT-devices, so no. Also, I have a separate, restricted VLAN for such devices anyways, should I ever need such.

If you can setup a separate VLAN you can take 5 min to setup a port forward.

[WereCatf]

2 hours ago, SlidewaysZ said:

If you can setup a separate VLAN you can take 5 min to setup a port forward.

I never said I can't, I said I don't want to.

[Windows7ge]

11 hours ago, SlidewaysZ said:

Better yet let's honestly get rid of UPnP for good so people have to manually open ports.

Not all ISP's allow Port Forwarding or even allow the user access to the router WebUI.

Some ISP's charge a fee for opening ports.

 

Then there are some other issues if you have a service or device where someone outside the network needs to connect:

Spoiler

 

Some ISP's operate under a NAT64-CGNAT system where traditional Port Forwarding simply doesn't work.

Most residential connections use Dynamic IP addressing and charge a fee for Static. (though services like No-IP exist)

 

Due to the way all the various ISP's are set up IoT devices lean hard on UPnP as a crutch to bypass how each vendor's equipment works. If UPnP disappeared these IoT devices wouldn't work on many ISP connection types or at least the services that previously relied on UPnP.

[Fasterthannothing]

7 hours ago, Windows7ge said:

Not all ISP's allow Port Forwarding or even allow the user access to the router WebUI.

Some ISP's charge a fee for opening ports.

 

Then there are some other issues if you have a service or device where someone outside the network needs to connect:

  Reveal hidden contents

 

Some ISP's operate under a NAT64-CGNAT system where traditional Port Forwarding simply doesn't work.

Most residential connections use Dynamic IP addressing and charge a fee for Static. (though services like No-IP exist)

 

Due to the way all the various ISP's are set up IoT devices lean hard on UPnP as a crutch to bypass how each vendor's equipment works. If UPnP disappeared these IoT devices wouldn't work on many ISP connection types or at least the services that previously relied on UPnP.

O no IoT devices not usable outside your home what ever should we do such a tragedy that a massive amount of exploits and security holes would be gone. Sorry I'm very cynical about IoT to me all they are is security holes for attackers to walk through. If you need access to something remotely and UPnP was  removed and port forwarding is removed a VPN setup to remote into your network is always an option.

[dalekphalm]

2 hours ago, SlidewaysZ said:

O no IoT devices not usable outside your home what ever should we do such a tragedy that a massive amount of exploits and security holes would be gone. Sorry I'm very cynical about IoT to me all they are is security holes for attackers to walk through. If you need access to something remotely and UPnP was  removed and port forwarding is removed a VPN setup to remote into your network is always an option.

Just saying, VPN wouldn't work without port forwarding, unless your router itself can host a VPN Server (Of which, most consumer ones cannot).

[Tieox]

Is it just a matter of time before something like Google Cloud gets hit with some exploit that they never saw coming?

[Windows7ge]

3 hours ago, SlidewaysZ said:

O no IoT devices not usable outside your home what ever should we do such a tragedy that a massive amount of exploits and security holes would be gone. Sorry I'm very cynical about IoT to me all they are is security holes for attackers to walk through.

I agree with you on this. I'm not a proponent for IoT devices where 99 if not 100% of them lack any real security to outside attackers. If you have to have the extra networking equipment and knowledge to lock these devices down using VLANs and firewall rules you aught not use them at all.

[Fasterthannothing]

39 minutes ago, dalekphalm said:

Just saying, VPN wouldn't work without port forwarding, unless your router itself can host a VPN Server (Of which, most consumer ones cannot).

That's not true Asus even has a FAQ on how to turn on openVPN https://www.asus.com/support/FAQ/1008713/

Edited April 24, 2021 by SlidewaysZ

[StDragon]

The problem with appliances such as QNAP in general is the paradigm that updates are to be installed manually. That's understandable for business use and advanced users. But for the majority of people, scheduling the install at 3am would be preferred over not updating at all. Synology at least provides automatic DSM updates; QNAP could learn a thing or two from them.

 

And before anyone see this as controversial, do understand that IoT devices automatic update all the time; specifically the popular RING and Nest thermostat devices.

[dalekphalm]

1 hour ago, SlidewaysZ said:

That's not true Asus even has a FAQ on how to turn on openVPN https://www.asus.com/support/FAQ/1008713/

Yes and which specific routers does that apply to? I'd be surprised if it applies to all ASUS routers.

 

Aside from that, what about all of the other vendors? Because I can with 100% confidence say that other vendors do not always include VPN Server Hosting as a feature.

 

Additionally, if you're running CGNAT, then VPN hosting still won't work, because you'd need to port forward the VPN connection through the Carrier's NAT.

 

Granted, CGNAT isn't a problem for your typical North American hardline Internet connection (such as DOCSIS, etc), but in many places, CGNAT is becoming more and more common.

 

[Mark Kaine]

13 hours ago, Windows7ge said:

Not all ISP's allow Port Forwarding or even allow the user access to the router WebUI.

Some ISP's charge a fee for opening ports.

really? lol that is weird...

 

also, im not sure why but i tried turning off upnp some time ago, nothing changed i could still  play online etc, actually port forwarding made it worse ...  i have  pretty strange internet here though anyways.

 

 

2 hours ago, StDragon said:

Synology at least provides automatic DSM updates; QNAP could learn a thing or two from them.

im not quite sure what qnap even is, im guessing a harddrive (nas)? but  i dont understand why there would be automatic updates if it isn't even connected to the internet?

And consequentially *if* it is connected why no auto updates?  my modem is 8 or so years old and has auto updates.

 

[dalekphalm]

4 minutes ago, Mark Kaine said:

really? lol that is weird...

 

also, im not sure why but i tried turning off upnp some time ago, nothing changed i could still  play online etc, actually port forwarding made it worse ...  i have  pretty strange internet here though anyways.

 

 

im not quite sure what qnap even is, im guessing a harddrive (nas)? but  i dont understand why there would be automatic updates if it isn't even connected to the internet?

And consequentially *if* it is connected why no auto updates?  my modem is 8 or so years old and has auto updates.

 

QNAP is a brand of NAS (Network attached storage). Modern NAS's are basically servers running custom OS's (typically some variation or custom version of Linux).

 

A NAS has HDD's (or SSD's) inside of it, but a NAS is basically a Server "computer". They're considered "Appliances" because they tend to be much easier to operate.