QNAP NAS Hacked

[dosborne]

Photorec is a tool to recover deleted files. If that's indeed what QNAP is suggesting to restore files, please be aware that any write to your NAS reduces your chances of recovering files (because deleted files might get overwritten).

QNAPs approach here is to copy the encrypted files to an external USB drive, then perform the decryption on a windows PC on the COPIED data files. Unfortunately, I've heard, it almost completely removes your folder structure.

 

[dosborne]

In any case, you should TAKE A BACKUP OF ALL YOUR DATA IMMEDIATELY. It may be useful to your recovery down the road, as well as helping preserve any files that may not actually have been encrypted (yet). You will of course need to plan against this sort of attack for the future so a long term backup plan/strategy is also required.

 

[XIII]

QNAPs approach here is to copy the encrypted files to an external USB drive, then perform the decryption on a windows PC on the COPIED data files. Unfortunately, I've heard, it almost completely removes your folder structure.

So they have the encryption key / password?

Then I still don’t understand what role Photorec has in the process.

 

[SSri]

In my view, PhotoRec is just a recovery program to peep into lost / deleted files. It, however, provides a complete control over the recovery process.

• One needs to provide the file system, file type, what you want to recover, recovery method (brute force, which is useful for fragmented files, expert mode,…), target drive.
• It works mainly through a search feature
• Recovery is time-consuming especially if one selects the brute force method
• It provides a new file structure — recup_dir.1, recup_dir.2 and so on.
• Thumbnails, if found inside the pictures, are saved as t*.jpg
• The recovered files are very hard to sort. I believe some open source python scripts are available to simplify sorting
• Running AV and malware tools are strongly recommended before opening the recovered files.

It’s an extremely hard work, the larger the size, the more complex it will become. IMO, this is a great tool but it will be a long road to return to the pre-encryption state.

In summary, these unfortunate incidences underscore the importance of at least a couple of backups.

 

[OzarkEdge]

The QNAP Malware Remover application (which must be downloaded, installed and run) will be successful in removing the effects of the ransomware BUT it is actually CRUCIAL so save the text file (for QLocker) or index.htm and encryptor for Deadbolt so that if your only option is to pay the ransom, you will need those to obtain the correct Bitcoin address. Save the files and/or take a screenshot or the ransom notes as a backup.

So far, the attack *seems* to come through a vulnerability on an admin port so stopping the current run of the attack by shutting down and restarting, running the malware remover or killing the process manually via ssh to do trigger a restart. However, leaving the NAS vulnerable through port forwarding, DMZ or UPnP would leave you susceptible should " they" trigger it again remotely.

Without knowing the local network, I would be concerned that malware could be anywhere/everywhere on it.

OE

 

[dosborne]

Without knowing the local network, I would be concerned that malware could be anywhere/everywhere on it.

OE

Concerned, yes, but there is no evidence to that effect with the current attack vectors. This applies to just about any network with any device. Your Windows PC is just as likely to contain hidden malware and should be a concern. Many people run many systems and IoT devices that haven't received a security update in years or decades.

 

[follower]

To begin with you wil have to excuse me as I am a total idiot whe it comes to computers etc which I guess is why I am in the pickle I am.

I have about 2000 cd's (and counting) that I painstakingly burned onto iTunes over a period of months, putting it on a single external hard drive. Unfortunately, after a couple of years that went wrong and I lost it all, so I bought a QNAP 2 Bay NAS went through the process all over again and in my naievety, thought that having two bays meant one would automatically back up to the other without me having to do anything (see what I mean when I say I'm an idiot). Anyway, all has been fine for several years and I still add newly bought CD's and burn onto my iTunes on my NAS.

However, a few weeks ago I noticed random tracks were missing and discovered they had been turned into 7Z format and found a read me file saying they had been encrypted and if I wanted to get them back to pay over a ransom in bitcoin. QNAP confirmed I had been hacked and proceeded to give me some instructions to recover my music files using something called photorec. I have also been told this happened because my NAS was/is connected to the internet and that it shouldn't be.

I have needed to buy another external hard drive with a large enough memory to connect to my NAS that I could transfer the rescued files onto. So, I have bought an 8TB WD MyBook which will be arriving any day soon.

When asking about this, people have mentioned stuff such as UPnP and turning that off. Port forwarding which means nothing to me and to disconnect my NAS from the intenernet and only connect it to my local/home network.

So, here are the daft questions… My NAS is connected directly to my BT home Hub router by a cable. Going into the router it shows it has a static IP address. In configuration I have UPnP turned off, yet in the firewall port forwarding section it shows UPnP ticked and if I click on the red cross, it asks if I want to remove the rules. Plus, being as thick as I am, I don’t understand why there are so many lines for my Nas showing (see picture below).

View attachment 39654

So, is my NAS connected to the internet or not? if it is, how do I disconnect it and have it only connected to my local (home) network? My laptop connected to the internet where I burn all my newly aquired CD's onto iTunes does say Private Network.

And of course, If I am lucky enough to retrieve my music files or not and I have to burn all my CD's again, how do I prevent this from happening again?

Sorry for this being so long winded and any help would be very much appreciated.

I'm sorry to hear that. There is almost nothing you can do with your NAS unless you use a Dedicated Hardware Firewall. Those security options don't help you actually. The best option is disconnect your NAS from the internet. A Dedicated Hardware Firewall is not 100% perfect though. But it's better than not using a Dedicated Hardware Firewall.

 

[dosborne]

I'm sorry to hear that. There is almost nothing you can do with your NAS unless you use a Dedicated Hardware Firewall. Those security options don't help you actually. The best option is disconnect your NAS from the internet. A Dedicated Hardware Firewall is not 100% perfect though. But it's better than not using a Dedicated Hardware Firewall.

I'm not sure repeating it makes it actually valid

I've been running multiple NAS for 15 years on my home network with nothing more than a commercial router and have not had any security breaches of any kind (knocking on wood).

 

[follower]

I'm not sure repeating it makes it actually valid

I've been running multiple NAS for 15 years on my home network with nothing more than a commercial router and have not had any security breaches of any kind (knocking on wood).

It doesn't mean other users are ok. Your logic is just for you. You know what? Your logic is just like this.
"I've been using this one without any problem. So this device has no problem"
You don't even know yours or someone's device is infected by malware like Crypto mining malware. Strong password, security options is nothing with Vulnerability Attack. I've seen so many infected NAS for home and business user's. Also there are a lot of unknown Vulnerabilities that are traded.

For media | F‑Secure

www.f-secure.com

Qnap : Products and vulnerabilities

Qnap: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.

www.cvedetails.com

Synology : Products and vulnerabilities

Synology: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.

www.cvedetails.com

 

[SSri]

Keeping the system up to date, disabling UPnP, disabling remote access, Strong Password, a good firewall (ex: PfSense, untangled) and Vlan should be a very good set up and minimise the threat. I also think NAS should be remain on the LAN and should be denied internet access.

 

[dosborne]

It doesn't mean other users are ok. Your logic is just for you. You know what? Your logic is just like this.
"I've been using this one without any problem. So this device has no problem"
You don't even know yours or someone's device is infected by malware like Crypto mining malware. Strong password, security options is nothing with Vulnerability Attack. I've seen so many infected NAS for home and business user's. Also there are a lot of unknown Vulnerabilities that are traded.

Wow, you went way off track

My comment was simple. You were stating that a "dedicated hardware firewall" was essentially the only solution. I was simply pointing out that almost any reasonable firewall such as one built into a router, was perfectly acceptable. That's all. I was objecting to "dedicated" and "hardware".

There are a million other security options, vulnerabilities and settings to be considered.

 

[SSri]

@Pompeyexile We haven’t heard from you. How are you getting along?

 

[follower]

@Pompeyexile We haven’t heard from you. How are you getting along?

He has only two choices.
1. Keeping the HDD until a new ransomware recovery tool comes out.
2. Format.

 

[follower]

Wow, you went way off track

My comment was simple. You were stating that a "dedicated hardware firewall" was essentially the only solution. I was simply pointing out that almost any reasonable firewall such as one built into a router, was perfectly acceptable. That's all. I was objecting to "dedicated" and "hardware".

There are a million other security options, vulnerabilities and settings to be considered.

Dedicated firewalls and built-in firewalls for home and small business can't prevent all of attacks. As I said, it's not 100% perfect. Important data storages should be disconnected from internet physically. I've seen a lot of companies got infected by ransomwares even if they use Dedicated Hardware Firewalls. Most of them usually pay for the money. This is the real world. Most of companies don't care until they get infected. They never ever invest the money for the Security.

 

[SSri]

He has only two choices.
1. Keeping the HDD until a new ransomware recovery tool comes out.
2. Format.

I am not very enthusiastic about the PhotoRec. Let’s hope the OP has made progress.

I do think a clean start, which is unfortunate, is the only way forward, keeping the NAS off the net.

 

[Pompeyexile]

After posting here the WD 8TB external drive arrived the same day and so I proceeded to apply the QNAP advice regarding photorec. After several days of it all running it ended up being a waste of time. It recovered very few random tracks and when I reported that back to QNAP the response was 'sorry it didn't work there is nothing else we can do'.

So, I will start from scratch. I will get my 2000 CD's down from the loft bit by bit and rip them all again. Obviously I will first completely clean/delete/re-format whatever you call it my two drives in my NAS and the new external drive. I know if I plug an ethernet cable directly into my NAS I can set it up from scratch without having to go anywhere near the internet.

Please forgive me, but now here is my daft question... Obviously I cannot keep the cable connected from my laptop to my NAS as for a start my laptop and NAS are not even in the same room. So, once I set up the NAS again and unlpug the ethernet cable from the NAS, how do I then connect to it to access it or continue on ripping my CD's onto the iTunes stored on it? Also, will my Sonos still be able to connect to it? At the moment I go onto the Sonos app on my phone and connect to my music on my NAS that way. When I rip a new CD onto my iTunes too, I just tell Sonos to update my music library and it goes to the place on my NAS where the music (iTunes) is stored and updates. How will this happen if the NAS is not connected to the internet? I understand if the NAS is not connected to the internet I can download any updates for the NAS onto my PC and then load them onto the NAS if I am connect to it via a cable, but again how can I do this if the cable is not connected or would this have to be plugged in every time I have an update?

Sorry, but I really do not understand how this all works. I wondering maybe I'd be better off paying someone to set this up for me?

 

[dosborne]

Dedicated firewalls and built-in firewalls for home and small business can't prevent all of attacks. As I said, it's not 100% perfect. Important data storages should be disconnected from internet physically. I've seen a lot of companies got infected by ransomwares even if they use Dedicated Hardware Firewalls. Most of them usually pay for the money. This is the real world. Most of companies don't care until they get infected. They never ever invest the money for the Security.

Again, I was NEVER pushing firewalls. You seem to be missing my point completely. I never said a firewall prevented anything.
Let me try again. YOU said a "dedicated hardware firewall" was essential. I said that a firewall, dedicated or part or another device, was just as valid. A hardware or software (aren't all firewalls really just software anyway?) provided similar protection. I NEVER stated anything along the lines of this being the only protection, nor did I state it was actually useful in any way.

Not sure why you keep going on about it. If you are looking for some sort of fight, you will have to go elesewhere.

 

[dosborne]

Sorry, but I really do not understand how this all works. I wondering maybe I'd be better off paying someone to set this up for me?

Sorry to hear you didn't get much back. It wasn't really likely that you would however.

As for setting all this up, there really isn't very much risk moving forward. At least nothing that you can't be prepared for.

You *CAN* use your NAS the same way as you did before **IF** you take a few simple steps:
Do the first 2 steps BEFORE turning on your NAS
Router - Disable UPnP in your router
Router - Disable DMZ or any forwarded ports from your router to your NAS

NAS - Disable UPnP in your NAS
NAS - Disable MyCloud and DDNS services in your NAS
NAS - Disable 3rd party logins from HBS3 if you use it.
NAS - Install the latest firmware that protects against QLocker and Deadbolt

MOST IMPORTANTLY though, you now have a drive that you can use as a backup. As you rip your music and repopulate the data on your NAS, come up with an appropriate backup strategy.

Keep the firmware up to date (although I recommend the latest 4.5.4 firmware, not the 5.0.0 firmware), only install the apps you NEED, disable and remove everything else. You should also consider setting up the "Malware Remover" application and set a schedule. It won't protect you from everything, and may actually make recovery a bit harder in some cases if you are hit, but does add some value if it can stop the progress of the ransomware attack.

 

[dosborne]

Keeping the system up to date, disabling UPnP, disabling remote access, Strong Password, a good firewall (ex: PfSense, untangled) and Vlan should be a very good set up and minimise the threat. I also think NAS should be remain on the LAN and should be denied internet access.

In the case of QLocker and Deadbolt ransomware on QNAP and now Asustore NAS boxes, 2FA, strong passwords, VLANs, firewalls, etc are no defense as they exploited vulnerabilities in the operating system bypassing all those protections. I am not saying that you shouldn't use those things, but in this particular attack they would offer no protection and would not minimize the threat.

I agree in principal about limiting internet access, but it needs to be made clear what that means. Disabling UPnP on your router and NAS may not be something people think of, or even know exists. They aren't necessary "plugging in" to the internet as you have to connect to your LAN (or at least your router) for local or remote access.

Although I personally dont use the option, getting firmware updates is another example where many people simply click on "update" so internet access is required. I prefer to disable the automatic checks for updates and perform them manually.

Typically, many users want remote access and in fact bought their NAS specifically for that following the advertising from the manufacturer to get a "personal cloud" etc. Again, this is extremely dangerous and the "proper" solution is to use a VPN (on the router, not the NAS) to remotely connect and access your "cloud" that way.

 

[dosborne]

Sorry, but I really do not understand how this all works. I wondering maybe I'd be better off paying someone to set this up for me?

There are many problems with paying someone to do this for you. You will not understand how it is setup and how it works. If you need to change something, you are reliant on someone else.

Following a few basic steps and learning a really small subset of things with some help from people on the various forums will go a long way to helping you. Take your time, one thing after another and you will get there.

You have been successful in learning a few things already obviously, like updating the firmware in your NAS so you are on the right track. Just a few more things, mostly configuration settings, and you will be fine.

Although this is a great place for router related issues, I strongly recommend that you also signup on the QNAP user forum as there are literally thousands of people that can help you with specific issues around the QNAP NAS. https://forum.qnap.com/