QNAP confirms Qlocker ransomware used HBS backdoor account

QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.

"The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync)," the Taiwan-based NAS appliance maker said in a security advisory issued today.

"To prevent infection from Qlocker, we recommend updating HBS 3 to the latest version."

A massive Qlocker ransomware campaign started breaching QNAP NAS devices during the week of April 19, replacing victims' files with password-protected 7-zip archives.

While the attack vector was not known at the time, QNAP has now confirmed that the attackers abused the CVE-2021-28799 hard-coded credentials vulnerability.

This security flaw acts as a backdoor account, allowing attackers to access devices running out-of-date HBS 3 (Hybrid Backup Sync) versions.

QNAP added that CVE-2021-28799 has already been fixed in the following HBS 3 versions (HBS 2 and HBS 1.3 are not impacted):

• QTS 4.5.2: HBS 3 v16.0.0415 and later
• QTS 4.3.6: HBS 3 v3.0.210412 and later
• QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
• QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
• QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

Even though this is not the first time QNAP mentioned Qlocker exploits targeting the HBS 3 backdoor account, it is the first time the company links the flaw to the campaign's primary attack vector.

A warning that comes too late

Unfortunately for QNAP customers targeted in the Qlocker ransomware campaign, this warning comes too late since the threat actors behind these attacks have already stopped the onslaught.

However, this happened only after extorting hundreds of QNAP users and robbing them of $350,000 within a single month after forcing them to pay ransoms of 0.01 bitcoins (worth roughly $500 at the time) to obtain the password for their files.

Victim reports in our Qlocker support topic and BleepingComputer's tests confirmed that all of the Qlocker Tor sites are no longer accessible, with victims who had their NAS files locker in password-protected archives no longer having a way to pay the ransom.

It is not yet clear what prompted Qlocker's sudden shutdown but what's certain is that it follows an ongoing trend that started after DarkSide hit Colonial Pipeline's systems.

DarkSide's unfortunate ransomware attack led to increased US law enforcement pressure on similar cybercrime operations. As a direct result, ransomware gangs started to either shut down entirely or restricting their targets to move out of law enforcement's crosshairs.

While Qlocker ransomware might have shut down, this is not the only ransomware currently targeting QNAP NAS devices.

During the last few weeks, QNAP customers were also urged to secure their devices against new Agelocker and eCh0raix ransomware campaigns.

Customers who want to further secure their NAS devices from attacks are advised to implement the following best practices.