cancel
Showing results for 
Search instead for 
Did you mean: 

QNAP Ransomware attack in April

Philip144
I plan to stick around

I was caught by a ransomware attack aimed specifically at QNAP devices.  It reached my LAN-based QNAP device at 1:52 am some days ago, but not my computers which were turned off at that time.  Research has stated that only QNAP devices were attacked.  I have several questions here, perhaps someone knows an answer or two.

1. How did the attackers know where to find my devices - possible a hack of the QNAP Customer and/or registered devices database wherein my IP address was stored,

2. What settings on my Arris Ignite TV Modem could have stopped this attack, and what are the other consequences of changing those settings.

 

***EDITED LABELS***

7 REPLIES 7

Re: QNAP Ransomware attack in April

-G-
Resident Expert
Resident Expert

@Philip144 wrote:

I was caught by a ransomware attack aimed specifically at QNAP devices.  It reached my LAN-based QNAP device at 1:52 am some days ago, but not my computers which were turned off at that time.  Research has stated that only QNAP devices were attacked.  I have several questions here, perhaps someone knows an answer or two.

1. How did the attackers know where to find my devices - possible a hack of the QNAP Customer and/or registered devices database wherein my IP address was stored,

First, I really feel bad for you that something like this happened.  I don't know much about the QNAP storage devices themselves so I have no idea how you could have been targeted or what specific attack vectors were exploited in your case.  There are MANY ways that you could have been compromised.

 

This issue has also apparently been known to QNAP for quite some time:

https://securingsam.com/new-vulnerabilities-allow-complete-takeover/

 

https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encryp...

https://www.bleepingcomputer.com/news/security/qnap-warns-of-agelocker-ransomware-attacks-on-nas-dev...

https://www.qnap.com/en/security-news/2021/response-to-qlocker-ransomware-attacks-take-actions-to-se...

https://www.qnap.com/solution/ransomware/en-us/

 

 

2. What settings on my Arris Ignite TV Modem could have stopped this attack, and what are the other consequences of changing those settings.

You don't have much control over the firewall rulesets on the Ignite gateways; you basically can only configure low/medium/high security levels... and even on low, it should be locked down enough to block access.  However, if you had configured Port Forwarding to your NAS to share files/media with friends or family (or did something similar) or holes got poked through your firewall via UPnP, you could have been an easy target.  That's why Rogers conducts security scans and warns customers when they detect vulnerable configurations.

 

If an attacker got access to your NAS from the inside e.g. by getting you to click on an infected attachment or visit a malicious website, infecting your computer or by infecting another device within your network, there's not much (if anything) that Rogers can do or could have done to protect you.

Re: QNAP Ransomware attack in April

-G-
Resident Expert
Resident Expert

This is pretty sad.  Just checked QNAP's Security Advisories and even their Malware Removal tool contained a command injection vulnerability: https://www.qnap.com/go/security-advisory/qsa-21-16

 

Re: QNAP Ransomware attack in April

Datalink
Resident Expert
Resident Expert

In the modem, disable UPNP, Port Forwarding and Port Triggering.  When Port Forwarding and Port Triggering have been disabled, delete any existing rules for Port Forwarding and Port Triggering.  When that is done, reboot the modem.

 

I had a quick look this morning and the only mention of how QNAP users were located were thru IP and port scans, probably using something like Shodun.  

 

So, reading thru the lines, I would guess that with UPNP enabled in the modem or router, a QNAP NAS sets it own Port Forwarding rules to open the ports that it uses for updates or any other purpose.  I would think that those ports also allow SSH or Telnet.  So, all an attacker has to do is scan thru an ISPs IP block, looking for any IPs with those specific ports open and most likely SSH or Telnet into the device.  If the device passwords for those paths have been left as default passwords, then the users are toast.  I'm assuming that there are passwords for SSH and/or Telnet or any other command path. 

 

Users have to explicitly lock down that device, changing all default passwords, locking out users to the Admin account and disabling SSH and/or Telnet and any other command path where a password can and should be used.  

 

From what I read thru quickly today, QNAP doesn't appear to explicitly explain the methodology by which users were attacked, ie; were forwarded ports used in conjunction with SSH, Telnet or any other command means?.  That's unfortunate as it leaves users wondering what steps they can take, if any to protect themselves. 

Re: QNAP Ransomware attack in April

-G-
Resident Expert
Resident Expert

@Datalink  Yeah, I agree.  Was also just looking at things like:

https://www.qnapworks.com/Features-Home-Sharing.asp

https://www.qnap.com/en/how-to/knowledge-base/article/how-to-share-the-files-on-nas-by-myqnapcloud

 

https://www.qnap.com/en-us/how-to/tutorial/article/how-to-enjoy-multimedia-content-stored-on-the-qna...

https://www.qnap.com/en/how-to/faq/article/how-do-i-set-up-port-forwarding-on-the-nas

 

Looks like they make it easy for you to get access to your stored data while you are "on the go", which significantly expands your attack surface... and QNAP does not seem to have a great track record either when it comes to security.

Re: QNAP Ransomware attack in April

Philip144
I plan to stick around

You guys are awesome, it is as I expected.  QNAP has lost my business, I have a TS-251 for sale - no drives, make me an offer.

Re: QNAP Ransomware attack in April

-G-
Resident Expert
Resident Expert

@Philip144 wrote:

You guys are awesome, it is as I expected.  QNAP has lost my business, I have a TS-251 for sale - no drives, make me an offer.


Thanks, but I think I'll pass. 🙂

Too bad you can't install something like FreeNAS on it.

Re: QNAP Ransomware attack in April

Philip144
I plan to stick around

System #4 is coming soon, so I can dedicate an older system to NAS backup duties and lock out all users but those I want, also no access from the Internet, just LAN-based systems.  I think Windows 10 Pro offers better and more conscientious security than QNAP.  Thanks for all the information and advice.

Topic Stats
  • 7 replies
  • 2810 views
  • 6 Likes
  • 3 in conversation