Massive malware attack on QNAP

For those Roon users who use QNAP please be aware there has been a widespread ransomeware attack on their NAS.

BleepingComputer

2 Likes

You can’t post a message about malware and then include a link. No one in their right mind would click on that link.

5 Likes

Except me and 28 others, so far. You can see where the link goes (bleeping computer) by hovering on the link.

I noticed that my QNAP installed or updated and ran a malware remover this morning. It didn’t find anything and my files are intact. From the discussion at bleeping computer, it looks like many machines have been affected world wide. I’m now headed to QNAP to see if there is more preventive action we should take.

Thank you dpstjp for the heads up.

1 Like

I’ll repost this from the QNAP forums thread:

  1. Disable UPnP on the router.
  2. Disable UPnP on the NAS.
  3. Do not port forwarding 8080/443 from the router to the NAS.
  4. Do not change ports 8080/443 to some other obscure port and forward those obscure ports accessible on the Internet - they will eventually be discovered.
  5. Disable/remove all QTS apps that are not being actively used.
  6. Enable the built-in IP Access Protection.

Use the NAS as a NAS and nothing more, unless you have the technical know-how and have the desire to tinker and accept the risks associated with tinkering.

3 Likes

Thank you!

1 Like

QNAP’s attitude to security is best described as ‘interesting’.

I find it lamentable that out of the box, their kit is horribly exposed to all kinds of threats and there isn’t even a configuration option to lock the stuff down at first setup.

The problem is two-fold:
One, the product is heavily marketed toward connecting to the internet - Multimedia consoles, QNAPCloud, publish this that and the other etc. They are clearly driven more by marketing than security.
Second, many of their customers are regular SOHO people like you and me, not hardcore security professionals who know what they are doing and have proper insight into the risks.

This isn’t the first time QNAP have been exposed like this with big consequences and they unfortunately have a history of sitting on CVEs, not patching in a timely fashion, giving poor advice when stuff like this does happen, and generally not giving a fig. :frowning:

1 Like

The culprit appears to be a programme that QNAP auto installed and for which access credentials were hard coded into the programme.

You didn’t even need to be running the application to be hit. My secondary machine was hit but for some reason none of the 7z files are password protected. My primary NAS was up-to-date and unaffected, so I can back up the primary to the secondary NAS with no data loss.

Not the first time this has happened for QNAP.

No it’s becoming a regular issue, and especially in other instances they have known about issues and not fixed them.

Steve Gibson was talking about them on his Security Now podcast a couple of weeks ago (that is the world I live in) and that was a different security problem, and he said with all the issues in the last few years he could not recommend anyone buy another QNAP, even for all their excellent features.

I can confirm - I have noted such cases recently.

What app?
.

Hybrid Backup Sync, presumably.

2 Likes

I am suffered by the qnap massive hacked, can’t search the Roon Core since 3 days ago, I thought it was unstable software issue so I rebooted the NAS several time but still the same.

So I logged in the nas and checked if the Roon run probably, it showed it is running, but I find some of the files in the Roon core folders already changed to .7z encrypted files.

The disaster is, my whole nas, most songs, photos, miminserver, etc… were encrypted… Just can’t open it without password.

I recommend people using qnap should check your folders , this is not kidding , and qnap has no solution to decrypt, so sad…

Best, Tony

1 Like

Sorry to hear that.

This event is also a perfect illustration of why RAID is not backup.

4 Likes

Tony very sorry to hear that. I hope you have a backup to recover from

I hope the hacker will give the right password for the decrypt after the bitcoin is paid…
Anybody have experience …

For me, I don’t know how to buy bitcoin and pay… so it will be a new experience for me…

And I really need to get the files back, so many hours and money of music files ripped and purchased…and also the precious photos …

I am no expert but I beleive they usually do.

Thanks for reply, never think of this situation to touch crypto currency, the world is full of unexpected …!!! :joy:

Not saying you should pay but if you do make sure you lock your NAS down so it can’t get re-infected.

…and make sure that you have Backups of your NAS…