Another QNAP Ransomware attack - Deadbolt

[Saracen999]

QNAP users be aware, it's ongoing.

My first look suggests UPnP is probably the attack vector (my advice - disable UPnP unless you absolutely need it, it's a massive risk). Don't enable it in your router either, if you have the option, unless it's a necessity. It's a convenience getting gaes etc to work, but not so convenient if it blows a gaping hole in your firewall. That's my take, anyway - I disable it.

More info on Bleeping Computers, QNAP themselves and a shout out for Robbie at NASCompares, which is where I saw it.

[[GSV]Trig]

I always have uPNP disabled, the boy moans because his xbox moans, I tell him I don't care lol

[Iota]

I don't think I've ever had UPnP enabled for games since something like 2003, I can't think of any games that even require it.

[[GSV]Trig]

Yeah the XBox moans when he does connectivity tests, other than that nothing else in the house seems to care..

QNAP again though, I remember when I used to swear by them, now all I hear is attack after attack..

[Saracen999]

Each of the major brands has had attacks in the last year or so.

My guess would be that QNAP in a way are more open to it than, say, Synology, because their 'ecosystem' is more configurable. The Synology mindset is a bit more Apple-ish, i.e. lock it down more, and don't even give users the option. An example might be QNAP validating non-QNAP memory modules while Synology don't. More recently, I'm told, the same is applying to which HD's you can use.

But when that extends to h/w or OS configuration options, there's a choice to be made. You can lock option-X off and not provide a way to change it, or you can default to 'off' but leave the final option to the user.

Depending on what option-X is, it may be safer to lock it off but those users with enough understanding to know of the risks (and how to mitigate them) then simply can't do anything that might need option-X turned on.

The Synology route is safer for those without the expertise (or with expertise, but not the need to bother) but at the price of restricting versatility. The QNAP route provides more versatility via configurabilty, but at the cost of increased risk if you get settings wrong.

For me, that's precisely why I chose QNAP over Synology.

Then biggest example? Keeping firmware up to date. And, maintaining a good backup regime. If you keep firmware (and software versions) up to date, your exposure to ransomware drops dramatically. Not to zero, but much closer to it. If you keep on top of your backups, the most risk ransomware represents is the time and hassle of restoring.

If you have the ability to set options in a more useful but less safe way, and don't keep on top of firmware, app versions, anti-virus/malware protection, and don't have firewalls etc set properly, then you're a juicy, low-hanging plum ripe for early picking.

Another example. I still run a small private website/forum. I could self-host it, and FTP, on the NAS. I don't, though. They're on a separate (small) hosting site. and just about all incoming connections to the NAS are disabled, and certainly HTTP and FTP. I could use the Sync services to cloud backup into the NAS backup, but don't because it's one more risk surface I don't need or want badly enough to run the risk.

But I like having far more configurability available, because then I'm the one deciding what risks I want to run and what measures to take to mitigate them, not Synology deciding for me.

[matts-uk]

The Synology mindset is a bit more Apple-ish, i.e. lock it down more, and don't even give users the option. An example might be QNAP validating non-QNAP memory modules while Synology don't. More recently, I'm told, the same is applying to which HD's you can use.

I think you are in danger of spreading some FUD here.

I'm not aware of any Synology NAS that is incompatible with 3rd party RAM of the CORRECT specification. I am aware of some older models being very specific. Exactly the same is true of many server class motherboards (looking at you SMC). Having said that I needed to get the QUEMU hypervisor working on a DS218+ last week and threw in an 8GB S0 DDR3 module that was sat on my desk for the last year, it worked just fine.

The verified drives requirement is very new and only a couple of the enterprise class devices are enforcing it. It is not an uncommon requirement in the enterprise storage market, due to the much higher investments and service levels involved. You can imagine the damage WD's silent use of SMR caused to Synology. Will be interesting to see whether Synology try to push enforcement down the model line, and whether they get away with it if they try. Dell tried it and failed some years back. Enterprise customers didn't care too much as the support contracts had them choosing to pay the premium for Dell badged drives for years beforehand. When it got to the SME customers the push back was enough for Delll to water down 'enforced' to 'advised.'

But when that extends to h/w or OS configuration options, there's a choice to be made. You can lock option-X off and not provide a way to change it, or you can default to 'off' but leave the final option to the user. Depending on what option-X is, it may be safer to lock it off but those users with enough understanding to know of the risks (and how to mitigate them) then simply can't do anything that might need option-X turned on.

I fear you may be talking rubbish about something you have little practical experience with. Exactly what feature can be enabled on your QNAP that can not be enabled on a comparable Synology?

Underneath the GUI both Synology and QNAP are using a Busybox stack. The architectures are remarkably similar. Synology may not expose a particular option to the GUI but that doesn't mean it can not be adjusted at the command line. I can't actually think of anything that I can do with a white box Linux server that I can not do with a Synology NAS. For those willing to venture into the unsupported world, the Synology Community repo has most of the packages you are ever likely to want. I've even managed to shoe-horn my own binaries into the Synology version of SystemD.

The Synology route is safer for those without the expertise (or with expertise, but not the need to bother) but at the price of restricting versatility. The QNAP route provides more versatility via configurabilty, but at the cost of increased risk if you get settings wrong.

Reading between the lines of the Deadbolt releases, it seems to me those customers who got infected failed to adjust defaults for features that are common to both QNAP and Synology devices.

By all means check back on my earlier posts. I work with Synology, QNAP and Netgear NAS devices on a regular basis. Netgear Ready NAS is a little too dumbed down for my liking. QNAP provide better value hardware. However, I choose to run my business and spend my own money on Synology, because the software is, in my experience, more 'polished' and reliable. That does not mean Synology produce devices that are any less versatile than QNAP. It means the Synology developers appear to spend more time testing and taking the rough edges off. Whether such has anything to do with QNAP being targetted by exploits more often, I wouldn't like to say.

Another example. I still run a small private website/forum. I could self-host it, and FTP, on the NAS. I don't, though. They're on a separate (small) hosting site. and just about all incoming connections to the NAS are disabled, and certainly HTTP and FTP.

Turning off HTTP will break Let's Encrypt certificate renewal and that will not be acceptable for many SMEs. A home enthusiast may be fine negotiating a self-signed browser warning but with a 100 all comers the burden on the help desk would be a significant cost.

But I like having far more configurability available, because then I'm the one deciding what risks I want to run and what measures to take to mitigate them, not Synology deciding for me.

I doubt you have any more or less configurability. You have software packages with a history of being a little flaky around the edges of implementation. The inadequate testing imposes the risk and the history makes for an attractive target. Should the manufacturer deem your device unsafe to expose to the internet it is rendered rather less versatile than advertised.

[Saracen999]

...

The verified drives requirement is very new and only a couple of the enterprise class devices are enforcing it.

...

I fear you may be talking rubbish about something you have little practical experience with. Exactly what feature can be enabled on your QNAP that can not be enabled on a comparable Synology?

Underneath the GUI both Synology and QNAP are using a Busybox stack. The architectures are remarkably similar. Synology may not expose a particular option to the GUI but that doesn't mean it can not be adjusted at the command line.

....

The verified drives comment came to me from a comment from another member here that had already bough the drives only to find they were a problem with the Synology NAS he was proposing. Beyond that, I have no ida how new or extensive that is.

.... doesn't mean it can not be adjusted at the command line.

Okay, maybe I should have been a bit more specific in that I meant the OS, and specificlly GUI, that the companies supply with their products. Also, that I was talking about my assessment of company mindset.

I have absolutely no wish to start faffing about with command lines on my NAS. It's enough of a performance having to go through the GUI, but from that perspective, I'll stick to what I said - QNAP let you do more through the GUI than Synology. And both approaches have their advantages.

Synology are two restrictive for what I wanted. Faffing about with command line is too much like hard work. I'm retired now, and just want something that I can get to do what I want it to do, as quickly and easily as possible.

Some users will want less faff and less configurability than I do. Synology may be heir best option. Some will want more, in which case they could always go Unraid, etc. Some may pick either, or something else, for hardware options and be happy to, or even enjoy tinkering with the command line. If I never see anoher command line for as long as I live, it'll be too soon.

If you're looking for a detailed discussion about the pro's and con's of this or that brand of NAS, I'm certainly not the one for it. I don't actually give a hoot. My comment was about why I think QNAP are a bit ahead of Synology in recent ransomware targets, which is that they have more configurability in the OS (GUI) and therefore more options for an unwary user to turn something on (or not turn it off) not realising the risk it might entail.

If that user has the ability to find, let alone manipulate the OS at, command line level I'd say it's a pretty fair bet they'll have an undertstanding of the risks of exposing certain options. But for many/most home users, and maybe even more so for small business uses, when they take the product out of the box and plug it in, someone has to set it up. That may be a home user, or a dentist, accountant or shop owner. If they can't see an option in the GUI, they're probably not going to turn it on or off. If that option if set to off, Synology are the more secure if that user isn't tempted to turn it on, but less versatile. If it is set to on, and a few options on my QNAP were, then it's safer to turn them off but at the cost of lost versatility.

In my case, I'd rather host that small website on a remote (and profesionally managed) hosting company and keep the NAS ability to accept incoming HTTP and FTP turned off. There's nothing I need to do on the NAS that needs to accept incoming internet communications via either. Ditto UPNP. So I take the more secure option and just turn them off. Some users may well want to be able to connect to their home (or business) NAS remotely, so will have different needs to me. And yes, I'm fine with self-signed certificates .... though it took some head-scratching to get there. A lot of people I know would not be .... including some more than capable of it but, like me, with zero inclination to faff about unnecessarily.

So the difference in 'mindset'? To me, neither is right or wrong, better or worse. It all depends what the individual user wants, but some will be better suited to one than the other. And some more will build an unraid server. Horses for courses.

[matts-uk]

The verified drives comment came to me from a comment from another member here that had already bough the drives only to find they were a problem with the Synology NAS he was proposing. Beyond that, I have no ida how new or extensive that is.

At the moment only 12 bay rack and desktop units are affected by the new policy. I've just placed an order for one of last years 8 bay rack models, which gives me about 5 years to hope they change their minds.

Okay, maybe I should have been a bit more specific in that I meant the OS, and specificlly GUI, that the companies supply with their products. Also, that I was talking about my assessment of company mindset.

I have absolutely no wish to start faffing about with command lines on my NAS. It's enough of a performance having to go through the GUI, but from that perspective, I'll stick to what I said - QNAP let you do more through the GUI than Synology. And both approaches have their advantages.

Synology are two restrictive for what I wanted. Faffing about with command line is too much like hard work. I'm retired now, and just want something that I can get to do what I want it to do, as quickly and easily as possible.

If you are going to claim one device is more restrictive than another, I think you should be specific.

What can you do with the QNAP GUI that you can not do with the Synology GUI? The devices have very similar GUI facilities.

Some users will want less faff and less configurability than I do. Synology may be heir best option. Some will want more, in which case they could always go Unraid, etc.

Sorry, just not seeing the clear differentiation between QNAP and Synology devices in what you say. A Ready NAS is clearly different, for those who want a remote hard disk without the learning curve of more sophisticated server facilities. An Unraid box is clearly different, as it comes with the faff of sourcing compatible hardware (amongst other things).

My comment was about why I think QNAP are a bit ahead of Synology in recent ransomware targets, which is that they have more configurability in the OS (GUI) and therefore more options for an unwary user to turn something on (or not turn it off) not realising the risk it might entail.

It would be the QNAP being more configurable that I am taking issue with. I don't recall QNAP QTS providing significantly different options to Synology DSM. My overriding impression of the devices, the functionality and feature sets is how similar they are. As I remember the differences are in the availability of software packages and reliability of software features. I appreciate I spend significantly more time in DSM than QTS and may have neglected or forgotten something, which is why I am pressing. If it turns out the devices are equally configurable, near as damn it, I would think it more likely my gut feeling is right and QNAP have prioritised time to market ahead of software testing and quality control (with the negative consequence we know it has on security).

Some users may well want to be able to connect to their home (or business) NAS remotely, so will have different needs to me. And yes, I'm fine with self-signed certificates .... though it took some head-scratching to get there. A lot of people I know would not be .... including some more than capable of it but, like me, with zero inclination to faff about unnecessarily.

My comment was aimed more towards QNAP's somewhat trite mitigation advice. Turning off HTTP is not something you can just do even if you only access the NAS on the LAN - Unless you want 50 users calling the IT every time they see a dire self-signed warning.

[Saracen999]

....

If you are going to claim one device is more restrictive than another, I think you should be specific.

What can you do with the QNAP GUI that you can not do with the Synology GUI?

....

The thread was simply a heads-up about Deadbolt. I happened to mention, incidentally, why I think QNAP has had a bit more ransomware attention in the last year or two. I wasn't aware I had to give a detailed justification for what was supposed to be a passing comment on an opinion.

You don't agree. Fair enough. But as I said, it isn't a subject I have any inclination to go into a detailed, or even brief, debate on. To be honest, not much is these days. My days of protracted, detailed discussions on pretty much anything are in the past. I did about 20 years of it but I think the final straw that broke that camel's back was the interminable Brexit debate which went round and round, over and over, and I many many (if any) changed their minds. I'm out of inclination, and my life has changed in a way that doesn't lend itself to that, anyway.