Search This Blog

Showing posts with label QNAP. Show all posts

Beware of eCh0raix Ransomware Attacks, QNAP Warns Customers

 

QNAP warned its users of an actively exploited Roon Server zero-day vulnerability and eCh0raix ransomware attacks that are targeting its Network Attached Storage (NAS). The Taiwanese vendor claimed that it has received reports of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

" The eCh0raix ransomware has been reported to affect QNAP NAS devices," the company said. Devices using weak passwords may be susceptible to attack. QNAP urged customers to "act immediately" to protect their data from potential eCh0raix attacks by: 

• Using stronger passwords for your administrator accounts. 

• Enabling IP Access Protection to protect accounts from brute force attacks. 

• Avoiding using default port numbers 443 and 8080. 

However, QNAP didn't mention how many reports it received from users directly affected by eCh0raix ransomware in the last weeks. QNAP also issued another security advisory to warn of an actively exploited zero-day vulnerability impacting Roon Labs’ Roon Server 2021-02-01 and earlier versions. 

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier. We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” reads the advisory.

QNAP also provided the necessary safety measures by which users can disable Roon Server on their NAS:

1. Log on to QTS as administrator and open the app Center and then click. A search box appears.

2. Type "Roon Server" and then press ENTER. Roon Server appears in the search results.

3. Click the arrow below the Roon Server icon. 

4.  Select Stop. The application is disabled.

Unfortunately, QNAP has been on the target list of threat actors for quite some time. QNAP devices were previously targeted by eCh0raix ransomware (also known as QNAPCrypt) in June 2019 and June 2020. 

A massive Qlocker ransomware campaign also hit QNAP devices starting mid-April, with the threat actors behind the attacks making $260,000 in just five days by remotely encrypting data using the 7zip archive program.

Ransomware Qlocker Encrypts QNAP Devices with 7Zip

 

A huge ransomware campaign seems to be underway to attack QNAP devices globally and customers can now locate their files in password-protected 7zip archives. The ransomware is known as Qlocker and on 19 April 2021, it was aimed at attacking QNAP computers. Ever since the help platform of bleeping computers has had enormous development, and the victims' requests have increased in ID-Ransomware. 

However, as per the victims in the Qlocker support department of Bleeping Computer, hackers use 7-zip to transfer files to password-protected archives on QNAP computers. During locking of the files, multiple 72 processes are displayed on the QNAP Resource Monitor, which can be executed on the 7zip command line. Once ransomware is completed, files of the QNAP computer will be saved in a password-protected 7-zip file with a.7z extension. Victims must enter the password identified by the perpetrator only to retrieve those archives. 

As soon as one has encrypted the QNAP devices, they then have a !!!READ ME.txt ransom note with a special client key to sign on to the Tor ransomware payment platform. All victims are expected to pay Bitcoins of roughly 0.01, which is around $557.74, from the Qlocker restitution notes shown to get a password for their archived data. After payment is made and an invalid Bitcoin Tax ID has been entered, a 7Zip archive password will be displayed on the Tor Payments website. This password is exclusive to the victim that cannot be used on computers of all the other victims. 

On April 22, a security investigator, Jack Cable, announced a bug found in the Qlocker Tor platform that allows users to freely retrieve their 7zip passwords. This bug could allow victims to obtain a Bitcoin transaction ID from someone who has previously paid but changed it slightly. When the modified transaction ID was sent to the Qlocker Tor site, the payment was acknowledged, and the victim's password was displayed. 

Jack Cable also helped victims secretly recover their passwords and Emsisoft arranged to build a support system to further exploit this vulnerability. Unfortunately, the ransomware developers took it and patched it an hour after they heard of the error. There is no way to download files without a password that is not available for free anymore at this stage.

QNAP has lately solved critical vulnerabilities which enable a mobile player to access a device completely and to run ransomware. 

The following descriptions were found for these two vulnerabilities by QNAP on 16 April: 
CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On 

"QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices," QNAP stated in a security advisory.

Beware of Ongoing Brute-Force Attacks Against NAS Devices, QNAP Warns

 

Taiwanese firm, QNAP has warned its clients of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urged to strengthen their devices’ security by changing their passwords and default access port number, and disabling the admin account.

The company warned its customers by stating, “recently QNAP has received multiple user reports of hackers attempting to log into QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality. ”

If threat actor manages to guess the right password then they are able to secure full access of the targeted device, allowing them to exfiltrate confidential documents or install malware. If the hackers are unable to brute-force their way in, the NAS devices’ system logs will mark the attempts and log them with ‘Failed to login’ warning texts.

To protect their devices from ongoing attacks, customers have to enhance NAS security by changing the default access port number, implementing password rotation policies, and disabling the default admin account. Additionally, since the attack is only viable on Internet-facing NAS devices, QNAP recommends customers don’t display their devices on public networks.

Firstly, customers have to create a new system administrator account before disabling the admin account. If the administrator account on QNAP NAS devices is running on QTS 4.1.2 then the following steps will disable the default admin account:

• Go to Control Panel > Users and edit the ‘admin’ account profile.
 
• Tick the ‘Disable this account’ option and select ‘OK’.

Additionally, customers can also configure the NAS device to automatically block IP addresses behind several numbers of troubled login attempts. QNAP has also published a checklist to secure their customers’ device and protect their data:

• Remove unknown or suspicious accounts from the device 

• Download QNAP MalwareRemover application through the App Center functionality 

• Change all passwords for all accounts on the device
 
• Set an access control list for the device (Control Panel > Security > Security level)