Results 1 to 11 of 11

Thread: No Mention of the QNAP Qlocker ransomware attack yet?

  1. #1
    Registered+
    Join Date
    Jul 2006
    Posts
    65
    Thanks
    0
    Thanked
    22 times in 13 posts

    No Mention of the QNAP Qlocker ransomware attack yet?

    I have been affected over 100k files encrypted and the hackers want 0.01 BTC to give you the password.
    Loots like QNAP left HARDCODED admin creds in the Hybrid Backup Sync app for the NAS devices, you know like a moron would leave in production code. Told about it over 4 months ago privately, and they ignored it. Was publicly disclosed on 31st March and guess what 3 weeks later loads of users having their files encrypted. QNAP only released a fixed update over 48 hours after attack started. More information and a thread for those affected here:
    https://www.bleepingcomputer.com/for...-7z-read-metxt
    Long thread but worth it.

    One piece of advice if you are affected:

    DO NOT REBOOT YOUR NAS
    Read the info first, try and get the password for your files or it's a world of hurt - I know.

  2. #2
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Sounds like they may have a habit of hardcoding, given their previous issue was a hardcoded password in QES (their Operating System) such a short time ago, in which case they really need to audit all of their code to make sure it doesn't keep happening.

    EDIT: For the sake of clarity, I am only talking about the previous situation, I have no idea what the current Qlocker situation affects, which may be both Consumer (QTS) and Enterprise (QES), I was just pointing out that I recalled hearing about a hardcoded password issue not too long ago too.
    Last edited by Output; 26-04-2021 at 08:00 AM. Reason: Added clarification.

  3. #3
    Spreadie
    Guest

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Oh, so it affects machines running QES and not QTS... More chance of a payout for critical data on enterprise grade boxes I suppose, but you'd expect enterprise grade machines to utilise multi-tiered backups though, surely?

  4. #4
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by Spreadie View Post
    Oh, so it affects machines running QES and not QTS...
    Where exactly does it say that?

    If you based it on my post, when I made mine I was assuming that QES was their name for their OS that they used on all of their devices, I didn't realise that they do different OSes to differentiate between Enterprise and Consumer.

    That was the result when I made a quick search for 'QNAP hardcoded password' or something like that as I recalled seeing a mention of such an issue not too long ago - but as I don't have any NASes, none of it applies to me anyway.

  5. #5
    Spreadie
    Guest

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by Output View Post
    Where exactly does it say that?
    In the link you posted:

    Hard-coded Password Vulnerability in QES
    Release date: December 23, 2020
    Security ID: QSA-20-19
    Severity: High
    CVE identifier: CVE-2020-2499
    Affected products: QNAP NAS running QES
    Status: Resolved

  6. #6
    HEXUS.Squirrel Output's Avatar
    Join Date
    Nov 2007
    Posts
    2,220
    Thanks
    986
    Thanked
    437 times in 309 posts
    • Output's system
      • Motherboard:
      • Gigabyte AORUS Master X570
      • CPU:
      • AMD Ryzen 9 3950X
      • Memory:
      • 32GB (2x16GB) DDR4 Kingston Fury Renegade @ 3600MHz CL16
      • Storage:
      • Sandisk Ultra 3D 2TB
      • Graphics card(s):
      • Sapphire Nitro+ RX 7800 XT
      • PSU:
      • EVGA SuperNOVA 750 G3
      • Case:
      • bequiet Dark Base Pro 900 Rev.2
      • Operating System:
      • Windows 10 Pro x64

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by Spreadie View Post
    In the link you posted:
    Ah, of course.

    I thought you were talking about the Qlocker situation, which is obviously the current thing now, my link was the previous situation that I recalled hearing about as I said.

    I haven't looked much through Darkedge's link, so it's possible that the current situation affects a different one or both OSes.

  7. #7
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    One lesson to be drawn from this is that it reinforces a point a lot of us here have made over a lot of years - RAID (by itself) whether in a NAS, or server, or even in a user PC, is not a backup.

    It can be part of a good backup strategy. It can certainly be used to backup files for which the primary copy is elsewhere. But fundamentally, if the data matters, backup your RAID/NAS too.

    This is one example of why. Another is, say, NAS PSU failure that takes out drives in the array, especially enough to kill the array. I had a PSU fail in a PC that physically blew large chunks out of chips on the controller board on a four drives in a PC (hardware) RAID. But there's any number of other susceptible points of failure too. Like .... fire or flood. Or a burglar nicking the damn NAS.

    So, if the data matters, you need not just a backup, but a multi-layer strategy, including a copy that is at least offline, and preferably off-site.

    It does take some thgught. I break data down into several categories. Some is "archive". Previous year's tax returns, etc, would be one example, as are "master" image files, i.e. RAW photo files. Quite a bit of that is on optical disc. Some more data is constantly changing and I keep that on SSD, backed up to HD (not connected except when backing up) and to the NAS. Some other stuff can be recreated if necessary, though it'll be a pain. Yet more (old game saves) can be written off if lost. I might not be quite wanting to delete butI'm certainlynot paying a ransom to get them back. And some data, in relatively small quantities, is on a set of USB memory sticks and a backup HD.

    For me, it all depends on what the data is, how important it is, how fast I nee3d access, do I need it 'online' (as in, to my network) at all, or can I plug it in when I need it, and so on. My backup plan reflects that, as does how I organise my data, and whe I store it, in the first place.

    Golden rule - if your data matters, plan for disasters. If it doesn't matter, well, then you won't be bothered much if disaster does hit, will you?
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  8. #8
    Senior Member
    Join Date
    Mar 2005
    Posts
    4,932
    Thanks
    171
    Thanked
    383 times in 310 posts
    • badass's system
      • Motherboard:
      • ASUS P8Z77-m pro
      • CPU:
      • Core i5 3570K
      • Memory:
      • 32GB
      • Storage:
      • 1TB Samsung 850 EVO, 2TB WD Green
      • Graphics card(s):
      • Radeon RX 580
      • PSU:
      • Corsair HX520W
      • Case:
      • Silverstone SG02-F
      • Operating System:
      • Windows 10 X64
      • Monitor(s):
      • Del U2311, LG226WTQ
      • Internet:
      • 80/20 FTTC

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by Spreadie View Post
    Oh, so it affects machines running QES and not QTS... More chance of a payout for critical data on enterprise grade boxes I suppose, but you'd expect enterprise grade machines to utilise multi-tiered backups though, surely?
    You cannot mix QNAP and Enterprise grade in the same sentence. Regardless of what they tell you.
    "In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."

  9. Received thanks from:

    Apex (27-04-2021)

  10. #9
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by badass View Post
    You cannot mix QNAP and Enterprise grade in the same sentence. Regardless of what they tell you.
    Erm, you can on one level. In fact, you can go a lot wider than that.

    ANY data storage system with a portal to the outside world is susceptible to aggressive hostile action through that portal. The (IMHO) only certain way to completely eliminate that risk is to not have your data, or at least not the important data, exposed by not having a portal at all. And, obviously, while in some circumstances (like mine) that's viable, in most other people's it is either damned inconvenient, or just just an option.

    That's certainly not to equate a QNAP consumer NAS, or (again, IMHO) any such NAS with enterprise systems, either in the hardware, firmware, integrated or external precautions, or expertise of the person running it. But nor is there usually equivalence in the value of the data.

    I've been advocating, usually to some either derision or teasing, an air-gapped system for years, on here. While I've been running one for much longer, it came to the for in discussions over the advisability of continuing to run Win 7, or even XP systems, given W8, 8.1 and then W10.

    Now that I've effectively retired, and certainly don't have the same issues (or responsibility for data) that I used to have, my needs have changed. Which is partly why I now do (still very reluctantly) have some Win10 machines .... as well as XP, W7 and Linux. I don't have anything like the requirement for air-gapping that I used to have, but still have some such machines because, first, I'm already set up that way, and second, do not have either the confidence or, to be honest, the equipment, training, expertise or experience of a decent enterprise setup (or the need).

    That said, high-end enterprise setups get hit too, not least, because the potential payback for the successful hacker, either in financial terms of for chaos and disruption if they are, for example, an unfriendly state actor, is so much higher. I seem to remember Ubiqiti (a step up from consumer-grade routers, etc) got hit recently and Dream Machine Pro took a reputational hit, both in hardware and reputational terms. If I get (or rather, got, past tense) hacked, it could have caused me problems if 3rd party data I had was lost, but in the terms of the wider commercial world, it's peanuts. I might lose data that HMRC require me to keep for a few years, but it's hardly earth-shattering. And I keep backups.

    And in my view, backups is where it's at.

    Every data user has to consider what data they have, what it is worth to them, what the implications of losing it would be, and what precautions are justified both in financial terms and time, effort and aggravation, in protecting it.

    I break my data down according to a couple of categories. Mainly, what does it mean to me, and how often it changes. Stuff that is important, even just emotionally, like family photos, has no monetary value and, ultimately, doesn't change, goes into an "archive" category. I keep a couple of backups. One, on another HD, a second on an optical (and no, not CDR/DVDR etc, but MO or PD optical, etc). The third,of course, is the actual photo, transparency, negative or even in a few cases, video tape. My ultimate level backup of my wedding video stuff is the S-VHS tape (and before anyone says it, I do have a working S-VHS machine and the tapes are still okay, but either could fail as they're old).

    But while that kind of stuff is on my primary storage for ease of access, as it's "archived" I don't include it in regular backups.

    The other end of the spectrum is the "changes a lot" data, like accounting data or spreadsheets in regular use. That goes through my regular and frequent grandfather, father, son process.

    A system like that suits me, but won't suit everybody. But ultimately, everybody, and I mean everybody has the final responsibility for deciding how important their data is to them, and what the "cost" of losing it, either to hackers or just simple hardware failure, would be. That includes Joe and Jane Public with a consumer NAS, or even an HD/SSD or two in their PC/laptop.

    And unless, if the worst happens you don't much care, the onus of protecting it falls fairly and squarely on the data owner because everybody is at some level of risk.

    Backups could be external (USB, maybe) HDs, or USB stick, could be CDR/DVDR, mag tape, a secondary (maybe remote) NAS, cloud service, whatever. Or nothing, if you're prepared to lose the data permanently should disaster strike. I can always do high-res rescans of the medium-format films copies of my wedding photos, because I bought the negatives and "all rights" from the photographer.

    So while in most respects, a consumer-grade QNAP (or other brand) NAS is different from enterprise data storage, they still both come down to the user having to suitably protect it, or risk losing it.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

  11. Received thanks from:

    Millennium (27-04-2021)

  12. #10
    Senior Member
    Join Date
    Mar 2005
    Posts
    4,932
    Thanks
    171
    Thanked
    383 times in 310 posts
    • badass's system
      • Motherboard:
      • ASUS P8Z77-m pro
      • CPU:
      • Core i5 3570K
      • Memory:
      • 32GB
      • Storage:
      • 1TB Samsung 850 EVO, 2TB WD Green
      • Graphics card(s):
      • Radeon RX 580
      • PSU:
      • Corsair HX520W
      • Case:
      • Silverstone SG02-F
      • Operating System:
      • Windows 10 X64
      • Monitor(s):
      • Del U2311, LG226WTQ
      • Internet:
      • 80/20 FTTC

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Quote Originally Posted by Saracen999 View Post
    Erm, you can on one level. In fact, you can go a lot wider than that.
    I disagree. Nothing to do with this incident. A few years ago their attitude to their NAS devices deleting peoples data (due to a bug in the Linux kernel) was to ignore it for many months. If they are capable of enterprise grade support, then they are capable of patching their products rather than waiting for others to do it for free. I remember on their forum when users complained about their attitude, the QNAP/Open source simps there told people to stop moaning and if its such a big deal they should contribute to the fix.

    Combine that with their inability to consistently release firmware without hardcoded credentials and they are in no way makers of enterprise grade kit. Modern software development methods make those kinds of bugs at worst one time only events.

    EDIT: to clarify I mean that QNAP do not make kit that can be considered enterprise grade. Regardless of their marketing. Any data stored on their kit has substantial risk in all 3 parts of the CIA Triad (confidentiality, integrity and availability) even if you have a good backup regime.

    EDIT EDIT: However as consumers you've not got much choice. No consumer grade NAS devices are particularly great for data storage. You either need to know far more than a layperson should have to on data storage and security or you just have to hope you are lucky.
    Last edited by badass; 27-04-2021 at 05:07 PM.
    "In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."

  13. #11
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,895
    Thanks
    935
    Thanked
    971 times in 717 posts

    Re: No Mention of the QNAP Qlocker ransomware attack yet?

    Agreed on most of that. We're saying much the same, but in slightly different ways. But even Enterprise systems have vulnerabilities, but have had way more spent fixing them, protecting against risks, and employing people to do it.
    A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •