Qnap nas file locker ransomeware, patch now

Zibob · April 23, 2021, 6:42am

I know there are a few out there on here, get your patches.

It is a file scrambling ransomeware.

Advice from Qnap

Install the latest software updates for the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps on their QNAP NAS gear to close off vulnerabilities that can be exploited by ransomware to infect devices.
Install the latest Malware Remover tool from QNAP, and run a malware scan. The manufacturer said it has “released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack.”
Change the network port of the web-based user interface away from the default of 8080, presumably to mitigate future attacks. We’ll assume for now that vulnerable devices are being found and attacked by miscreants scanning the internet for public-facing QNAP products – we’ve asked the manufacturer to comment on this.
Make sure they use strong, unique passwords that can’t easily be brute-forced or guessed.
If possible, follow the 3-2-1 rule on backups: have at least three good recent copies of your documents stored on at least two types of media, at least one of which is off-site. That means if your files are scrambled, you have a good chance of restoring them from a backup untouched by the malware, thus avoiding having to cough up the demand, if you make sure the software nasty can’t alter said backups.

If user data is encrypted or being encrypted, the NAS must not be shut down. Users should run a malware scan with the latest Malware Remover version immediately, and then contact QNAP Technical Support at service.qnap.com.

Trooper_ish · April 23, 2021, 8:26am

Does this fix the other one?

Zibob · April 23, 2021, 9:54am

Yes this is the same one. I did check the recent posts but did not go back more than a few hours, I thought it was newer than that.

Den-Fi · April 23, 2021, 4:16pm

Can’t say I’ve ever met another human that’s used a TerraStation, but those have an active exploit that needs patching as well. TerraMaster NAS Vulnerability Found Over UPnP | StorageReview.com

Trooper_ish · April 23, 2021, 4:17pm

We had a guy point out something similar-

Security issue in Terramaster NAS products Networking Hardware

I wasn’t sure where else to post this, so here it goes for now. I recently purchased a Terramaster F2-210 NAS. It is a great product, however I discovered something rather unsettling about it security wise that LevelOneTechs may wish to mention in a video to protect others who haven’t noticed. Essentially, the NAS is exposing itself to the world without permission, assuming it is running on a router that has uPnP enabled. This has a CVE now which can be viewed here NVD - CVE-2021-30127. I also have more details which I’d be happy to share with LevelOneTechs privately. Please let me know if there is interest in this. You can read more about this here: Terramaster NAS exposing itself with UPNP as well as in the discussions I link in that blog post. I hope to see this in a news post or similar!

redocbew · April 23, 2021, 4:40pm

UPnP was the first thing I thought of with these QNAP boxes also. There’s probably a significant number of those behind routers with UPnP enabled where the owners don’t even know they’re vulnerable.

oxbird · April 24, 2021, 4:49pm

I know most people here are probably not exposing their NAS to the internet, but some people are still using cloud-based functionality on their boxes. Please stop. This goes for all NASes btw, not just qnap.

I block all internet access to my NAS on my opnsense router. (unblocking when I need to update etc)

Den-Fi · April 30, 2021, 3:30pm

Well, this certainly isn’t helping things. A lot of people are jumping to conclusions though.

Neither does this.