No Mention of the QNAP Qlocker ransomware attack yet?

I have been affected over 100k files encrypted and the hackers want 0.01 BTC to give you the password.
Loots like QNAP left HARDCODED admin creds in the Hybrid Backup Sync app for the NAS devices, you know like a moron would leave in production code. Told about it over 4 months ago privately, and they ignored it. Was publicly disclosed on 31st March and guess what 3 weeks later loads of users having their files encrypted. QNAP only released a fixed update over 48 hours after attack started. More information and a thread for those affected here:
https://www.bleepingcomputer.com/for...-7z-read-metxt
Long thread but worth it.

One piece of advice if you are affected:

DO NOT REBOOT YOUR NAS
Read the info first, try and get the password for your files or it's a world of hurt - I know.

Sounds like they may have a habit of hardcoding, given their previous issue was a hardcoded password in QES (their Operating System) such a short time ago, in which case they really need to audit all of their code to make sure it doesn't keep happening.

EDIT: For the sake of clarity, I am only talking about the previous situation, I have no idea what the current Qlocker situation affects, which may be both Consumer (QTS) and Enterprise (QES), I was just pointing out that I recalled hearing about a hardcoded password issue not too long ago too.

Oh, so it affects machines running QES and not QTS... More chance of a payout for critical data on enterprise grade boxes I suppose, but you'd expect enterprise grade machines to utilise multi-tiered backups though, surely?

Quote:

---

Originally Posted by Spreadie

Oh, so it affects machines running QES and not QTS...

---

Where exactly does it say that?

If you based it on my post, when I made mine I was assuming that QES was their name for their OS that they used on all of their devices, I didn't realise that they do different OSes to differentiate between Enterprise and Consumer.

That was the result when I made a quick search for 'QNAP hardcoded password' or something like that as I recalled seeing a mention of such an issue not too long ago - but as I don't have any NASes, none of it applies to me anyway.

Quote:

---

Originally Posted by Output

Where exactly does it say that?

---

In the link you posted:

Hard-coded Password Vulnerability in QES
Release date: December 23, 2020
Security ID: QSA-20-19
Severity: High
CVE identifier: CVE-2020-2499
Affected products: QNAP NAS running QES
Status: Resolved

Quote:

---

Originally Posted by Spreadie

In the link you posted:

---

Ah, of course.

I thought you were talking about the Qlocker situation, which is obviously the current thing now, my link was the previous situation that I recalled hearing about as I said.

I haven't looked much through Darkedge's link, so it's possible that the current situation affects a different one or both OSes.

One lesson to be drawn from this is that it reinforces a point a lot of us here have made over a lot of years - RAID (by itself) whether in a NAS, or server, or even in a user PC, is not a backup.

It can be part of a good backup strategy. It can certainly be used to backup files for which the primary copy is elsewhere. But fundamentally, if the data matters, backup your RAID/NAS too.

This is one example of why. Another is, say, NAS PSU failure that takes out drives in the array, especially enough to kill the array. I had a PSU fail in a PC that physically blew large chunks out of chips on the controller board on a four drives in a PC (hardware) RAID. But there's any number of other susceptible points of failure too. Like .... fire or flood. Or a burglar nicking the damn NAS.

So, if the data matters, you need not just a backup, but a multi-layer strategy, including a copy that is at least offline, and preferably off-site.

It does take some thgught. I break data down into several categories. Some is "archive". Previous year's tax returns, etc, would be one example, as are "master" image files, i.e. RAW photo files. Quite a bit of that is on optical disc. Some more data is constantly changing and I keep that on SSD, backed up to HD (not connected except when backing up) and to the NAS. Some other stuff can be recreated if necessary, though it'll be a pain. Yet more (old game saves) can be written off if lost. I might not be quite wanting to delete butI'm certainlynot paying a ransom to get them back. And some data, in relatively small quantities, is on a set of USB memory sticks and a backup HD.

For me, it all depends on what the data is, how important it is, how fast I nee3d access, do I need it 'online' (as in, to my network) at all, or can I plug it in when I need it, and so on. My backup plan reflects that, as does how I organise my data, and whe I store it, in the first place.

Golden rule - if your data matters, plan for disasters. If it doesn't matter, well, then you won't be bothered much if disaster does hit, will you?

Quote:

---

Originally Posted by Spreadie

Oh, so it affects machines running QES and not QTS... More chance of a payout for critical data on enterprise grade boxes I suppose, but you'd expect enterprise grade machines to utilise multi-tiered backups though, surely?

---

You cannot mix QNAP and Enterprise grade in the same sentence. Regardless of what they tell you.

Quote:

---

Originally Posted by badass

You cannot mix QNAP and Enterprise grade in the same sentence. Regardless of what they tell you.

---

Erm, you can on one level. In fact, you can go a lot wider than that.

ANY data storage system with a portal to the outside world is susceptible to aggressive hostile action through that portal. The (IMHO) only certain way to completely eliminate that risk is to not have your data, or at least not the important data, exposed by not having a portal at all. And, obviously, while in some circumstances (like mine) that's viable, in most other people's it is either damned inconvenient, or just just an option.

That's certainly not to equate a QNAP consumer NAS, or (again, IMHO) any such NAS with enterprise systems, either in the hardware, firmware, integrated or external precautions, or expertise of the person running it. But nor is there usually equivalence in the value of the data.

I've been advocating, usually to some either derision or teasing, an air-gapped system for years, on here. While I've been running one for much longer, it came to the for in discussions over the advisability of continuing to run Win 7, or even XP systems, given W8, 8.1 and then W10.

Now that I've effectively retired, and certainly don't have the same issues (or responsibility for data) that I used to have, my needs have changed. Which is partly why I now do (still very reluctantly) have some Win10 machines .... as well as XP, W7 and Linux. I don't have anything like the requirement for air-gapping that I used to have, but still have some such machines because, first, I'm already set up that way, and second, do not have either the confidence or, to be honest, the equipment, training, expertise or experience of a decent enterprise setup (or the need).

That said, high-end enterprise setups get hit too, not least, because the potential payback for the successful hacker, either in financial terms of for chaos and disruption if they are, for example, an unfriendly state actor, is so much higher. I seem to remember Ubiqiti (a step up from consumer-grade routers, etc) got hit recently and Dream Machine Pro took a reputational hit, both in hardware and reputational terms. If I get (or rather, got, past tense) hacked, it could have caused me problems if 3rd party data I had was lost, but in the terms of the wider commercial world, it's peanuts. I might lose data that HMRC require me to keep for a few years, but it's hardly earth-shattering. And I keep backups.

And in my view, backups is where it's at.

Every data user has to consider what data they have, what it is worth to them, what the implications of losing it would be, and what precautions are justified both in financial terms and time, effort and aggravation, in protecting it.

I break my data down according to a couple of categories. Mainly, what does it mean to me, and how often it changes. Stuff that is important, even just emotionally, like family photos, has no monetary value and, ultimately, doesn't change, goes into an "archive" category. I keep a couple of backups. One, on another HD, a second on an optical (and no, not CDR/DVDR etc, but MO or PD optical, etc). The third,of course, is the actual photo, transparency, negative or even in a few cases, video tape. My ultimate level backup of my wedding video stuff is the S-VHS tape (and before anyone says it, I do have a working S-VHS machine and the tapes are still okay, but either could fail as they're old).

But while that kind of stuff is on my primary storage for ease of access, as it's "archived" I don't include it in regular backups.

The other end of the spectrum is the "changes a lot" data, like accounting data or spreadsheets in regular use. That goes through my regular and frequent grandfather, father, son process.

A system like that suits me, but won't suit everybody. But ultimately, everybody, and I mean everybody has the final responsibility for deciding how important their data is to them, and what the "cost" of losing it, either to hackers or just simple hardware failure, would be. That includes Joe and Jane Public with a consumer NAS, or even an HD/SSD or two in their PC/laptop.

And unless, if the worst happens you don't much care, the onus of protecting it falls fairly and squarely on the data owner because everybody is at some level of risk.

Backups could be external (USB, maybe) HDs, or USB stick, could be CDR/DVDR, mag tape, a secondary (maybe remote) NAS, cloud service, whatever. Or nothing, if you're prepared to lose the data permanently should disaster strike. I can always do high-res rescans of the medium-format films copies of my wedding photos, because I bought the negatives and "all rights" from the photographer.

So while in most respects, a consumer-grade QNAP (or other brand) NAS is different from enterprise data storage, they still both come down to the user having to suitably protect it, or risk losing it.

Quote:

---

Originally Posted by Saracen999

Erm, you can on one level. In fact, you can go a lot wider than that.

---

I disagree. Nothing to do with this incident. A few years ago their attitude to their NAS devices deleting peoples data (due to a bug in the Linux kernel) was to ignore it for many months. If they are capable of enterprise grade support, then they are capable of patching their products rather than waiting for others to do it for free. I remember on their forum when users complained about their attitude, the QNAP/Open source simps there told people to stop moaning and if its such a big deal they should contribute to the fix.

Combine that with their inability to consistently release firmware without hardcoded credentials and they are in no way makers of enterprise grade kit. Modern software development methods make those kinds of bugs at worst one time only events.

EDIT: to clarify I mean that QNAP do not make kit that can be considered enterprise grade. Regardless of their marketing. Any data stored on their kit has substantial risk in all 3 parts of the CIA Triad (confidentiality, integrity and availability) even if you have a good backup regime.

EDIT EDIT: However as consumers you've not got much choice. No consumer grade NAS devices are particularly great for data storage. You either need to know far more than a layperson should have to on data storage and security or you just have to hope you are lucky.

Agreed on most of that. We're saying much the same, but in slightly different ways. But even Enterprise systems have vulnerabilities, but have had way more spent fixing them, protecting against risks, and employing people to do it.