QNAP has urged its customers to install and run its latest firmware and malware removal tools on their NAS boxes amid a surge in ransomware infections.
Two file-scrambling nasties, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data and demanding ransoms to restore the information.
In response, QNAP said on Thursday users should do the following to avoid falling victim:
- Install the latest software updates for the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps on their QNAP NAS gear to close off vulnerabilities that can be exploited by ransomware to infect devices.
- Install the latest Malware Remover tool from QNAP, and run a malware scan. The manufacturer said it has "released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack."
- Change the network port of the web-based user interface away from the default of 8080, presumably to mitigate future attacks. We'll assume for now that vulnerable devices are being found and attacked by miscreants scanning the internet for public-facing QNAP products – we've asked the manufacturer to comment on this.
- Make sure they use strong, unique passwords that can't easily be brute-forced or guessed.
- If possible, follow the 3-2-1 rule on backups: have at least three good recent copies of your documents stored on at least two types of media, at least one of which is off-site. That means if your files are scrambled, you have a good chance of restoring them from a backup untouched by the malware, thus avoiding having to cough up the demand, if you make sure the software nasty can't alter said backups.
QNAP also warned:
If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at service.qnap.com.
How exactly is the ransomware getting onto people's network-attached storage systems? Well, look no further than these three critical vulnerabilities that QNAP patched this month, the first two highlighted today in its warning to customers:
- CVE-2020-36195 aka QSA-21-11: An SQL injection flaw in the Multimedia Console and the Media Streaming add-on that can be exploited to ultimately gain control of the box. This was patched on April 16, just days before the latest ransomware outbreak kicked off.
- CVE-2021-28799 aka QSA-21-13: Hard-coded login credentials were found and removed in HBS 3 Hybrid Backup Sync. If you know these creds, you can gain control of the device via this backdoor access. Though its advisory suggests the bug was fixed today, it was actually patched in version 16.0.0415 released on April 16.
- CVE-2020-2509 aka QSA-21-05: A command-injection vulnerability in QTS and QuTS hero that can be exploited to seize control of a box. This was also patched on April 16.
Plus don't forget all the previous holes in QNAP's products.
The Qlocker plague this month, described as "massive" by the malware trackers at Bleeping Computer, leaves victims with their files moved into encrypted and password-protected 7zip archives and a note demanding 0.01 Bitcoins for the necessary passphrases to unlock the data.
It's interesting to note that 21-year-old Stanford student and infosec researcher Jack Cable found a flaw in the extortionware's backend that could be used to decrypt Qlocker-scrambled data, and via Twitter discreetly helped victims restore their files until the malware's masterminds caught wind and fixed the issue, CyberScoop reported.
A spokesperson for QNAP was not immediately available for further information and comment. ®