QNAP NAS Affected by Qlocker Ransomware, Company Advises Immediate Action to Secure Your Data

[btarunr]

QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports and media coverage that two types of ransomware (Qlocker and eCh0raix) are targeting QNAP NAS and encrypting users' data for ransom. QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices.

QNAP has released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack. If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at this page.



For unaffected users, it's recommended to immediately install the latest Malware Remover version and run a malware scan as a precautionary measure. All user should update their passwords to stronger ones, and the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version. Additionally, users are advised to modify the default network port 8080 for accessing the NAS operating interface. Steps to perform the operation can be found in the information security best practice offered by QNAP (https://qnap.to/3daz2n). The data stored on NAS should be backed up or backed up again utilizing the 3-2-1 backup rule, to further ensure data integrity and security.

For details, please refer to the QNAP security advisory QSA-21-11 (this page) and QSA-21-13 (this page).

QNAP Product Security Incident Response Team (PSIRT) constantly monitors the latest intelligence to deliver up-to-date information and software updates, ensuring data security for users. Once again, QNAP urges users to take the above-mentioned actions and periodically check/install product software updates to keep their devices away from malicious influences. QNAP also provides the best practice for improving personal and organizational information security. By working together to fight against cybersecurity threats, we make the Internet a safer place for everyone.

View at TechPowerUp Main Site

 

[TheUn4seen]

I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.

 

[DeathtoGnomes]

I understand that convenience is an important factor, but why would anyone think that exposing your data storage to the Internet is a smart thing? Firewall your damn NAS, update manually from an offline source or at least have a cold storage system with a reasonably frequent backup schedule.

There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly. I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?

But this reads as if the malware was pre-installed and shipped.

 

[FreedomEclipse]

Qnap also suggested disabling the default admin user account. I have done this but this has caused all sorts of issues to do with user access rights and privileges even if i have the new admin account given full privileges and access to some folders and files.

NAS wont let new admin account access certain shared folders even though access privileges has been set up to include new admin account.
NAS wont let new admin delete files remotely when accessed remotely from an android device.
NAS wont let me cut/copy or paste data from NAS to my desktop with new admin account from within windows unless i disable Windows ACL

Ive checked the user priviledges loads of times and played around. I got shared folder access back but i still cant delete files if im using my tablet to access the NAS and i got my cut/copy paste back by disabling ACL

Ive been told that the Windows ACL function/feature is bugged and from what i read on their forums, It has been bugged for a long time.

 

[trparky]

There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.

Where's your proof on that? Because last time I checked and yes, I actually did check, this isn't true at all. The port scans prove it. Stop spreading FUD.

 

[Solaris17]

Storage appliances facing the web has always confused me.

 

[newtekie1]

There are several ports intentionally left open by m$'s firewall that cant be closed. Why? IDK, but lets call it telemetry ports just to be silly.

What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.

I can only guess why users are not using passwords for their pirated movieDATA storage, sharing with friends and neighbors maybe?

Windows doesn't allow this by default either. You have to have a password to share data.

 

[destruya]

I have a QNAP TS-231P but nothing on it is vital - being able to access media anywhere on my laptop or phone is a good boredom alleviator. That still hasn't stopped ~skript kiddiez~ from probing it with brute force password attacks.

All the data I can't afford or don't want to lose/have compromised is air-gapped.

That being said, my next NAS will be *built*, not *bought*. In addition to this, QNAP's been slowly moving apps over to a micro-transaction model. They think they're being slick about it, but everyone who's paying attention knows what's up.

 

[DeathtoGnomes]

Windows doesn't allow this by default either. You have to have a password to share data.

Should have been clearer, wasnt thinking default.

What does that have to do with anything? If there isn't a service listening on those ports, it doesn't matter if they are open. And if you are behind a NAT firewall anyway, and your Windows PC doesn't have a public IP(by the way those ports are all closed by default if your network connection is set to public), then those open ports aren't accessible by the internet anyway.

Thats a big IF really.

 

[holyprof]

QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
https://www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]

 

[newtekie1]

Thats a big IF really.

Not really. I'd say a very large majority of computers don't have public IPs.

 

[Chaitanya]

QNAP is a joke. Same thing happened 2 years ago. They just shrugged off and told the users it's their own problem. I know 2 people that were affected by that and lost everything.

Link from 2019 and they still haven't fixed it:
https://www.bankinfosecurity.com/report-new-ransomware-targets-qnap-storage-devices-a-12774
"A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali." Article from July 11, 2019

[insert facepalm meme here]

So they should drop Q from their brand name on urgent basis.

 

[R-T-B]

Not really. I'd say a very large majority of computers don't have public IPs.

But don't worry, IPv6 will fix this.

 

[DeathtoGnomes]

Not really. I'd say a very large majority of computers don't have public IPs.

I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.

But don't worry, IPv6 will fix this.

IPv6, I heard of that before, where....

 

[trparky]

But don't worry, IPv6 will fix this.

And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.

 

[R-T-B]

And on my router, I actually have to enable a rule firewall rule to pass IPv6 packets from the WAN side to the LAN side. Otherwise, the router stops incoming IPv6 packets for the LAN side and doesn't allow them through unless the LAN side device requested it.

A good router will do this. I was sarcastically referring to the designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.

Yeah, that's a bad idea, just like it sounds.

IPv6, I heard of that before, where....

Most ISPs provide it now actually. Even Verizon and Comcast do.

 

[newtekie1]

I agree but that doesnt mean some hacker will visit your negihborhood looking for available connections. And we're back to learn2secure your network and devices.

Sure, that was a valid argument back when routers shipped with no WiFi password and WEP was the default security method. But not now.

 

[trparky]

designers "dream spec" of ipv6, which essentially is an IoT world where every device has a public IP.

Reminds me of the bad old days of the first cable modems, your Network Neighborhood was literally your neighborhood. With everything having a public IP your Network Neighborhood would be the whole damn planet. How they thought that was a good idea, I'll never know.