[German]Another small addendum from this week regarding QNAP security. The manufacturer QNAP has removed a backdoor in the form of an account in the disaster recovery app for NAS backup. In addition, QNAP NAS devices seem to have fallen victim to a widespread ransomware campaign.
Advertising
I had noticed it during the week, but still had little time to blog about it. German reader Joachim S. had sent me a mail with a hint about it during the week (thanks for that):
Good day,
perhaps a hint for your blog. It seems that there are active attacks on QNAP systems. I have a colleague myself who has an encrypted QNAP at his customer's site.
As I wrote before – I didn't have the time to mention it in my blog right away – and whoever makes his vulnerable NAS systems reachable via the internet is lost anyway.
QNAP removes backdoor
This week there was a notification that the manufacturer QNAP has removed a critical vulnerability that allows attackers to log in to QNAP NAS (Network-Attached Storage) devices with hardcoded credentials. The vulnerability, CVE-2021-28799, was found by Taiwan-based ZUSO ART in HBS 3 Hybrid Backup Sync, QNAP's disaster recovery and data protection solution. QNAP then provided fixes for the following products.
- QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
- QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
- QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
QNAP recommends to upgrade the HBS 3 Hybrid Backup Sync product to the latest version in this advisory dated April 23, 2021. But this is a bit too late and too short. The colleagues from Bleeping Computer write in this article about the relevant security alert from the manufacturer that the backdoor has been exploited and quote the manufacturer:
QNAP confirmed that Qlocker ransomware has used the removed backdoor account to hack into some customers' NAS devices and encrypt their files.
There appears to be a number of users affected by Ransomware (QLocker) due to this vulnerability. Please Update your HBS3 version ASAP
QLocker ransomware attack on QNAS
And this closes the circle to the hint from blog reader Joachim S. above that a colleague at a customer's site was standing in front of an encrypted QNAP system. This week there was a massive QLocker ransomware campaign that exploited the above mentioned backdoor in QNAP products and encrypted systems accessible via the Internet.
Advertising
Affected users then found their files on the QNAP NAS drives as password-protected 7zip archives. QNAP advises affected people not to turn off the device and to contact the manufacturer's support (reason unknown, but my guess is to restore the files due to the bug mentioned below). Briefly, there was probably a bug on the cybercriminals' side that allowed decryption – but that's fixed, as you can read in this tweet thread.
The colleagues from Bleeping Computer have picked this up in this article. In the above tweet, the colleagues from Bleeping Computer report that those behind the QLocker campaign were able to collect a good 260,000 US dollars in ransom in five days. No idea how big the group is among which this ransom sum has to be divided – but at around 500 US dollars per case, some people must have paid the required 0.01 bitcoin – motivating the gangs to further action.
Final question: when I see how often QNAP NAS drives are successfully attacked via ransomware, making them accessible via the Internet is a bad idea after all. As a QNAP user, how do you actually feel about this.
Follow up article: QNAP NAS ransomware attack wrap-up (April 2021)
