Update: QNAP confirmed that Qlocker ransomware has used the removed backdoor account to hack into some customers' NAS devices and encrypt their files.
[T]he so-called Qlocker ransomware took advantage of one of the patched vulnerabilities in HBS to launch a hostile campaign, targeting QNAP NAS directly connected to the Internet with unpatched old versions of HBS.
QNAP has addressed a critical vulnerability allowing attackers to log into QNAP NAS (network-attached storage) devices using hardcoded credentials.
The hard-coded credentials vulnerability tracked as CVE-2021-28799 was found by Taiwan-based ZUSO ART in HBS 3 Hybrid Backup Sync, the company's disaster recovery and data backup solution.
The company says that the security bug is already fixed in the following HBS versions and advises customers to update the software to the latest released version:
- QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
- QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
- QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
To update HBS on your NAS device, you have to log into QTS or QuTS hero as administrator. Next, search for "HBS 3 Hybrid Backup Sync" in App Center, and then click Update and OK to update the application (the Update option is not available if HBS is already up to date.)
While QNAP published the security announcing that CVE-2021-28799 was fixed today, the app's release notes for version 16.0.0415 lists it as fixed almost a week ago, on April 16th.
A QNAP spokesperson told BleepingComputer that the disclosure delay was caused by the additional time needed to release patches for QuTS hero and QuTScloud HBS versions (the security update for QTS was released six days ago).
QNAP also added that its PSIRT team has not found evidence of active exploitation of this vulnerability in the wild.
On the same day, QNAP fixed two other HBS command injection vulnerabilities, as well as two more critical vulnerabilities, a command injection bug in QTS and QuTS hero (CVE-2020-2509) and an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On (CVE-2020-36195), that could allow attackers to gain full access to NAS devices.
Ongoing Qlocker ransomware campaign targeting QNAP users
Critical security bugs such as these allow threat actors to take over NAS devices and, in some cases, deploy ransomware to encrypt the users' files and ask hefty ransoms for a decryptor.
Threat actors are also known to take over NAS devices and use them to "proxy their connection to interact with the webshells they placed on these devices" and hide their malicious activity within regular remote work traffic, according to CISA.
QNAP told BleepingComputer that they believe a new ransomware strain known as Qlocker exploits the SQL Injection vulnerability (CVE-2020-36195) to encrypt data on vulnerable devices.
This is precisely what has been happening since at least April 19th, when attackers behind a massive campaign deploying a new ransomware strain known as Qlocker started moving QNAP customers' files in password-protected 7zip archives and asking for ransoms.
During these last four days, BleepingComputer's ransomware support forum has seen a considerable amount of activity, and ID-Ransomware has recorded a surge of Qlocker sample submissions from victims.
QNAP devices targeted by ransomware before
Qlocker is not the first ransomware to target QNAP devices, given that they are commonly used to store sensitive personal files and are the perfect leverage to force victims into paying a ransom to decrypt their data.
In June 2020, QNAP warned of eCh0raix ransomware attacks targeting Photo Station app security flaws.
eCh0raix (aka QNAPCrypt) returned one year later, trying to gain access to QNAP devices by exploiting known vulnerabilities and brute-forcing accounts with weak passwords.
QNAP also alerted customers in September 2020 of an AgeLocker ransomware campaign targeting publicly exposed NAS devices by exploiting older and vulnerable Photo Station versions.
QNAP customers are advised to go through the following procedure to secure their NAS devices and check for malware:
- Change all passwords for all accounts on the device
- Remove unknown user accounts from the device
- Make sure the device firmware is up-to-date, and all of the applications are also updated
- Remove unknown or unused applications from the device
- Install QNAP MalwareRemover application via the App Center functionality
- Set an access control list for the device (Control panel -> Security -> Security level)
Comments
ScottUS - 3 years ago
"the disclosure delay..." Does this mean we can create a class-action lawsuit? I am usually pretty good about regularly updating my firmware and software, but this Qlocker has totally and completely f-ed over my time-critical video production company. I have backups for about 90% of my material (and video files generally are fine due to size) but not the stuff I've been working on this week. They should have SHOUTED THIS UPDATE from the rooftops to protect us.
remy99c - 3 years ago
I saw the !!README.txt file on a single folder on my nas but none of my files are affected. i turned my nas off as soon as i noticed this morning, Now in the evening i read that qnap pushed firmware and app updates to fix this but my TS-453B is already on latest firmware although that one is from 2021-03-02. Should i still be worried or is all fine and am i safe?
serghei - 3 years ago
You can get help and more info in the Qlocker ransomware thread in our forum: https://www.bleepingcomputer.com/forums/t/749247/qlocker-qnap-nas-ransomware-encrypting-with-extension-7z-read-metxt/page-33#entry5171970
Satann - 3 years ago
it was updated yet again today, FYI. You probably want to be checking updates daily on all the apps.
serghei - 3 years ago
Yeah, QNAP changed CVE-2021-28799's description from 'hardcoded credentials' to 'improper authorization' — still a backdoor account in my books.
All this while the revision history info at the bottom of the advisory says they only revised acknowledgments.
Some-Other-Guy - 3 years ago
How to recover from disaster in your disaster recovery app
Chapter One:
Remove the hard-coded credentials vulnerability from backdoor account in a timely fashion before it is discovered
Chapter Two:
Pray nobody noticed
Chapter 3:
Make sure your one sided Licensing "Agreement" explicitly states that you are not to be held responsible for all of the problems you created, and that your Legislators received your protection money in a timely fashion
qnapsuxballs - 3 years ago
I am exploring class action against QNAP for this massive failure. If you are interested in participating please complete the Google form at https://forms.gle/Khzme6pERcNtbDAe9
I_hate_qnap - 2 years ago
Man I filled out that whole form.. and then thought about my hacked NAS box and got paranoid and closed it out!! I don't trust anything any more!! I'm down for a class action though!!
ttaylor3g - 3 years ago
Does anyone know of a command to delete the "!!!READ_ME.txt" files in all the folder besides doing this one by one?
ttaylor3g - 3 years ago
Nevermind, found a tool that will parse through the folder and locate the READ_ME.txt files and *.7z files. Makes the job much easier.