[RANSOMWARE] 4/20/2021 - QLOCKER

Mousetick wrote: ↑ You're talking specifically about QLocker attacks, right?

I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.

OneCD wrote: ↑ So, QNAP sent a security bulletin from the marketing address? Someone at QNAP needs a kick in the pants.

QnapDanielFL wrote: Our security should have been better. We are making it better now.

P3R wrote: ↑ Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess.

You're right. It looks to me as if QNAP is more interested in protecting themselves than helping their customers.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Here are a couple more pieces of info to explain what likely happened.

1. Excerpt from security alert email sent by QNAP on April 21-22 while the attacks were in full swing:

1. Go to the Qnap site
2. Click the Sign-in-button in the upper right corner and log in
3. Click the icon that have replaced the Sign-in-button in the upper right corner and select Account Center in the menu
4. Click My Subscriptions and make sure you select at least Security Advisories before activating and saving your subscriptions.

Mousetick wrote: ↑ To "log in" to a device, you normally use the QTS login page. Both authentication and interaction with an application such as HBS, is done via the QTS web port (8080, 443 by default). With this HBS vulnerability, you don't need to know any specific username or password, you use the hardcoded backdoor and you're in with the admin user privileges. Furthermore HBS had a command injection vulnerability, allowing execution of arbitrary commands. Both combined basically give complete control of the system.

I am really worried about the other Qnap users who are still unaware of this problem. Qlocker is still out there searching for victims. Qnap can do better than this!

P3R wrote: ↑ I can't accept that it's the web admin port that is the only way in until it's confirmed. Yes it may be the most probable (it scale much better) but until it's confirmed by a reliable source, I consider that to be only your assumption, hypothesis or best guess.

I wouldn't at this point rule out the RTRR-port as a separate attack vector.

QNAPDanielFL wrote: ↑

agarceran wrote: ↑ Just noticed my files were encripted... after I had rebooted to aply a firmware update.

Still waiting for any comunication from QNAP whatsoever, could have avoided all this if they had just sent an amail on the 21th, or 22th... it is the 28th for QNAP's sake. I have a partial backup of the most important files but some files are completely lost and I'm not paying. Worse, I discovered it just as I had to go to work, had to left the NAS shutdown and walk away and I am feeling phisically ill. Before I left home I thought it was one of my computers that was at fault but now I found out it was the NAS that got hacked by the qnapcloud, and no, having the nas disconnected from the internet is just like having a dumb USB drive. Sure it was one of the cheap models and with only 5 tb harddrives, but it was advertised as having all those online capabilities I like to use... I am very, very disapointed and just bought a big USB drive and see what I can salvage...

Now I have to buy a boat, so I can repurpose this POS as a boat anchor as suggested by a reddit post.

I am sorry this happened to you. Our security should have been better. We are making it better now.
I understand that disconnecting the NAS from the internet will remove much of its usefulness.
We have QVPN to let you access the NAS remotely in a secure way. Would a VPN allow you to remote access the NAS in all the ways you would need for your use case?

Daniel,

for a typical end user there is not much to show how this all vpn stuff works. There is a guide to set up your NAS(es) as VPN servers or clients with QVPN. There is a guide of sorts on using HBS. So maybe you have all six cans, but it is missing the plastic thingy that holds them all together. A guide for end user showing how to get them to work together and what needs to be enabled/disabled might be a good start.

Regards

P3R wrote: ↑

I was only formulating an hypothesis of the QLocker attack vector based on indirect evidence gathered here and there. I don't claim to know specifically how it happened.

Both you and infotecmb made statements that made it sound as if your hypothesis was already a verified truth. That's why I asked both of you to clarify as I have not seen Qnap confirm that the web admin port is the only way all of these vulnerabilities are being misused.

I'm trying to understand how the ransomware infect systems and exactly what exposure enabled the systems to become a target.

Security-oriented manufacturers have a section in their security advisories that explain the technical details to help more informed users understand how they can protect themselves but as Qnap do their best to keep their customers in the dark our only choice is to speculate and guess.

Since day one of the attack, I do read all messages in this and bleepingcomputer QLocker topics.
My main unaffected QNAP with 80TB of data is powered off until I will find out how this attack happened to be 100% sure it is safe to turn it back on.
Meanwhile, I manually protect two other unaffected QNAPs that can't be unplugged.

We could make only assumptions based on the information disclosed by QNAP or their actions.

It looks like HBS 3 Hybrid Backup Sync is the main trouble, but:
1) we do not know if anyone with QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later was affected or not
2) when next version of HBS 3 Hybrid Backup Sync > 16.0.0419 for QTS 4.5.2 will be released with the real fix or at least with junk code cleaned out
3) QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0419 released on 2021/04/22 does not have any security fixes

From the latest news:

HBS 3 Hybrid Backup Sync 3.0.210411
( 2021/04/29 )
[Applicable Models]
- End-of-life NAS models running QTS 4.3.3 or 4.3.4
 
[Important Notes]
- This is a security update for end-of-life NAS models running QTS versions 4.3.3 and 4.3.4.
 
[Security Updates]
- Fixed a security vulnerability.

It sounds like confirmation of the problem. Support for end-of-life products is a rare occasion and happens only in case of really serious issues.

The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".

Go to your QNAP and issue the following command (you can also download attached output):

cd /share/CACHEDEV1_DATA/.qpkg/HybridBackup/ ; grep -r -i walter *

Looks like "walter" is that hard-coded password when you see the following:

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: [email protected] or [email protected] in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

wydeng wrote: ↑ [..]
I checked my Qnap account in the subscription section. There are 13 categories. The only category I didn't subscribe was security bulletin. I don't believe I chose them. Must be some kind of default settings:
[..]

infotecmb wrote: ↑ [..]

Looks like "walter" is that hard-coded password when you see the following:

Code: Select all

"pwd_plain": "walter"
"admin_pwd": "walter"
NAS_PWD=walter
SERVER_PLAIN_PWD=walter
enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64
'enc_pwd': 'VAEC'        # -->  'walter' --> fw ecrypted
'enc_pwd': 'ElJdBQQI'    # -->  'walter' --> fw decrypted
"name": "waltershao"

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: [email protected] or [email protected] in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

Thank you Walter Shao, best engineer ever! This is really good for your CV! Oh, and you owe a few people 0.01 BTC...

infotecmb wrote: ↑ Looks like "walter" is that hard-coded password when you see the following:

I have not checked if and how it works because Hybrid Backup Sync is currently disabled on my QNAPs.

The code has 27 occurrences of e-mails: [email protected] or [email protected] in the code.

According to LinkedIn, Walter Shao is QNAP Technical Manager since 2013:

walter.PNG

I would be laughing if this wasn't so utterly, utterly basic.