• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New eCh0raix Ransomware Brute-Forces QNAP NAS Devices

P4-630

The Way It's Meant to be Played
Joined
Jan 5, 2006
Messages
9,688 (1.96/day)
Location
Vinewood
System Name Desktop / Laptop
Processor Intel i7 6700K @ 4.3GHz (1.180 V) / Intel i3 7100U
Motherboard Asus Z170 Pro Gaming / HP 83A3 (U3E1)
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut + 5 case fans / Fan
Memory 16GB DDR4 Corsair Vengeance LPX 3000MHz CL15 / 6GB DDR4 Samsung 2400MHz CL15
Video Card(s) MSI GTX1070 Gaming X 8GB / Intel HD620
Storage Samsung 970 Evo 500GB + Samsung 850 Pro 512GB + Samsung 860 Evo 1TB / Samsung 256GB M.2 SSD
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p + 21.5" LG 22MP67VQ IPS 60Hz 1080p / 14" 1080p IPS Glossy
Case Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s) SupremeFX Onboard / Realtek onboard + B&O speaker system
Power Supply Be quiet! Straight Power 10 500 Watt CM / Powerbrick
Mouse Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard RAPOO E9270P Black 5GHz wireless / HP backlit
Software Windows 10 / Windows 10
"A new ransomware strain written in Go and dubbed eCh0raix by the Anomali Threat Research Team is being used in the wild to infect and encrypt documents on consumer and enterprise QNAP Network Attached Storage (NAS) devices used for backups and file storage.

"The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks," according to Anomali researchers, with victims originally reporting in a BleepingComputer forum thread that the following QNAP NAS devices were affected: QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

QNAP Systems, the manufacturer of QNAP NAS devices, provides a list of steps that could allow rannsomware victims to recover their data if the QNAP block-based snapshot feature as described HERE.
"

 
Joined
Nov 11, 2004
Messages
3,371 (0.63/day)
Location
Formosa
System Name Overlord Mk MX
Processor AMD Ryzen 7 3800X
Motherboard X570 Aorus Master
Cooling Corsair H115i Pro
Memory Viper Steel DDR4 3600MHz
Video Card(s) Galax GeForce GTX 1080 EXOC-SNPR
Storage 1TB WD Black NVMe (2018), 1TB WD Blue 3D NAND
Display(s) Asus PG27AQ
Case Corsair Carbide 275Q
Power Supply Corsair RM750
Mouse Logitech G500s
Keyboard Wooting Two
Software Windows 10
Benchmark Scores https://valid.x86.fr/ztiub6
Lovely, I can't believe the NAS guys keep having issues like this.
I'm glad I built my own, since no-one targets the third party NAS operating systems, or at least no-one has as yet.
 
Joined
Jun 28, 2015
Messages
574 (0.39/day)
Well, doesn't really matter what brand server you run, if it can be compromised by "brute forcing weak credentials" you shouldn't be running one.
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
26,299 (5.27/day)
Location
Indiana, USA
Processor Intel Core i7 8700K@4.8GHz(Quick and dirty)
Motherboard AsRock Z370 Taichi
Cooling Corsair H110i GTX w/ Noctua NF-A14 Fans
Memory 32GB Corsair DDR4-3000
Video Card(s) ASUS Strix GTX 1080Ti
Storage 500GB Crucial MX500 + 2TB Seagate Solid State Hybrid Drive with 480GB MX200 SSD Cache
Display(s) QNIX QX2710 1440p@120Hz
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply Corsair HX850
Software Windows 10 Pro x64
Lovely, I can't believe the NAS guys keep having issues like this.
I'm glad I built my own, since no-one targets the third party NAS operating systems, or at least no-one has as yet.
It's brute forcing weak credentials, so it really has nothing to do with it being a NAS.
 
Joined
Mar 10, 2010
Messages
6,456 (1.89/day)
Location
Manchester uk
System Name RyzenGtEvo
Processor Amd R5 2600X@4.1
Motherboard Crosshair hero7 @bios 2304
Cooling 360EK extreme rad+ 360$EK slim all push, cpu Monoblock Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3466cas16 16Gb in two sticks.
Video Card(s) Sapphire refference Rx vega 64 EK waterblocked
Storage Samsung Nvme Pg981, silicon power 1Tb samsung 840 basic as a primocache drive for, WD2Tbgrn +3Tbgrn,
Display(s) Samsung UAE28"850R 4k freesync, LG 49" 4K 60hz ,Oculus
Case Lianli p0-11 dynamic
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi
Mouse Roccat Kova
Keyboard Roccat Iksu force fx
Software Win 10 Pro
Benchmark Scores 8056 vega 3dmark timespy
It's brute forcing weak credentials, so it really has nothing to do with it being a NAS.
Sounds Like someone got clever with an old mining rig or something, your spot on though , the Nas bit is irrelevant.
 
Joined
Nov 11, 2004
Messages
3,371 (0.63/day)
Location
Formosa
System Name Overlord Mk MX
Processor AMD Ryzen 7 3800X
Motherboard X570 Aorus Master
Cooling Corsair H115i Pro
Memory Viper Steel DDR4 3600MHz
Video Card(s) Galax GeForce GTX 1080 EXOC-SNPR
Storage 1TB WD Black NVMe (2018), 1TB WD Blue 3D NAND
Display(s) Asus PG27AQ
Case Corsair Carbide 275Q
Power Supply Corsair RM750
Mouse Logitech G500s
Keyboard Wooting Two
Software Windows 10
Benchmark Scores https://valid.x86.fr/ztiub6
I guess neither of you read the part about "exploiting known vulnerabilities in targeted attacks ".
QNAP, Synology, WD, D-Link and I presume, Netgear, Thecus, Asustor, etc. are all quite bad at patching known exploits.
It was only a few years ago Synology had the same issue. If it's only affecting QNAP, of course it's only about NAS appliances and not about anything else.
How can you access someone else's NAS unless it's compromised somehow? Admittedly some people leave ports open for external access, but that's quite silly and shouldn't be a default behaviour of any NAS, yet that's what these "trusted" companies do.
I have in fact worked for QNAP and know how great they are when it comes to dealing with reports bout serious software issues with their products. I had a government employee contact me when I worked there who had found multiple issues and no-one at the support team would touch it. Got to love that kind of shit.
 
Joined
Sep 7, 2017
Messages
3,183 (4.69/day)
System Name Grunt
Processor Intel i7-7820x
Motherboard MSI X299 Raider
Cooling Noctua NH-U12A
Memory Corsair LPX 3600 32GB (4x8GB)
Video Card(s) Powercolor Vega 64
Storage Intel 900p 280GB, 660p 2TB, Seagate Barracuda Pro 10TB
Display(s) Viewsonic VX2457, Samsung NU8000 TV
Case Corsair C70
Power Supply Corsair HX750
Software Win 10 Pro
I wonder how many of these are made for a singular/personal purpose.. and simply get leaked into the wild? What's the purpose of screwing everyone? I'm sure a lot of regular NAS consumers have nothing critical on them.
 

newtekie1

Semi-Retired Folder
Joined
Nov 22, 2005
Messages
26,299 (5.27/day)
Location
Indiana, USA
Processor Intel Core i7 8700K@4.8GHz(Quick and dirty)
Motherboard AsRock Z370 Taichi
Cooling Corsair H110i GTX w/ Noctua NF-A14 Fans
Memory 32GB Corsair DDR4-3000
Video Card(s) ASUS Strix GTX 1080Ti
Storage 500GB Crucial MX500 + 2TB Seagate Solid State Hybrid Drive with 480GB MX200 SSD Cache
Display(s) QNIX QX2710 1440p@120Hz
Case Fractal Design Define S
Audio Device(s) Onboard is good enough for me
Power Supply Corsair HX850
Software Windows 10 Pro x64
I guess neither of you read the part about "exploiting known vulnerabilities in targeted attacks ".
No, I read the details on the hack, it brute forces weak credentials. The "known vulnerabilities" they're exploiting are not limiting login attempts or time between login attempts. Which exist on a lot of Windows and Linux server systems too.
 
Top