What's new

QNAP Qlocker Ransomware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

Asuswrt-Merlin dev
A ransomware has been infecting QNAP NASes this week. I've personally had to deal with two of my customers who got affected, and tomorrow I'll have to contact all my other customers with QNAP products to ensure they are secure.


Make sure you update your firmware, as well as Hybrid Backup:


I can cut some slack for software bugs, as these happen. Hardcoded credentials however is a sin.

This isn't the first time I have to personally handle ransomware and malware that specifically targeted QNAP NAS. I might seriously have to consider moving to Synology for my future customer needs, as they don't seem to get affected as easily, and they don't require people to install nearly bi-weekly firmware updates like QNAP does. There IS such a thing as "update fatigue", where if you have too frequent updates, at some point your customers will say "yeah, whatever, I don't have the time right now to update".
 
A ransomware has been infecting QNAP NASes this week. I've personally had to deal with two of my customers who got affected, and tomorrow I'll have to contact all my other customers with QNAP products to ensure they are secure.


Make sure you update your firmware, as well as Hybrid Backup:


I can cut some slack for software bugs, as these happen. Hardcoded credentials however is a sin.

This isn't the first time I have to personally handle ransomware and malware that specifically targeted QNAP NAS. I might seriously have to consider moving to Synology for my future customer needs, as they don't seem to get affected as easily, and they don't require people to install nearly bi-weekly firmware updates like QNAP does. There IS such a thing as "update fatigue", where if you have too frequent updates, at some point your customers will say "yeah, whatever, I don't have the time right now to update".
I totally agree, I have 2 NASes and both with auto update of apps and firmware. I have like 1 firmware update per week, and weekly security updates for apps.
It interrupts me all the time and also worries me about how secure is my data (although I have separate backups).
Next upgrade I'll go for synology unless research suggest different.
QNAP has great products, but security.....
 
I totally agree, I have 2 NASes and both with auto update of apps and firmware. I have like 1 firmware update per week, and weekly security updates for apps.
Auto updates might be an option at home (assuming you can schedule it in the night), but not in the business space. Some of my customers have 24/7 employees, also employees don`t always close down all their documents before leaving for the day. And you don't want to have everyone come into the office at 9am to find the NAS crashed due to a failed update, or some update requires reconfiguration (I've seen backup jobs disappearing after an update in the past).

And requiring a complete reboot for the majority of updates is also an issue. QTS has become the Windows of Linux platforms, where the software is very monolithic, with only a few components moved to separate applications that can be updated without requiring a reboot. They should look at something more similar to cPanel as an example of a Linux-based product where updates can be done without downtime, except for the usual kernel/glibc/etc... updates.
 
Auto updates might be an option at home (assuming you can schedule it in the night), but not in the business space. Some of my customers have 24/7 employees, also employees don`t always close down all their documents before leaving for the day. And you don't want to have everyone come into the office at 9am to find the NAS crashed due to a failed update, or some update requires reconfiguration (I've seen backup jobs disappearing after an update in the past).

And requiring a complete reboot for the majority of updates is also an issue. QTS has become the Windows of Linux platforms, where the software is very monolithic, with only a few components moved to separate applications that can be updated without requiring a reboot. They should look at something more similar to cPanel as an example of a Linux-based product where updates can be done without downtime, except for the usual kernel/glibc/etc... updates.
No, of course... in a business space I have to plan it, schedule a maintenance window, get approvals, etc. It's insane having updates every week... even if we have redundancy for everything
 
Having used qnap for a numbers of years, I would not enable auto update. I like the product in general, but the number of really bad updates is too high. I carefully evaluate each update and give it a few weeks of reviews before updating (and I've skipped quite a few). I disagree with the "weekly" statement, at best monthly for releases, and in fact look at a frequent release cycle as a GOOD thing in general, although with qnap it is usually to add a "feature" few people want as opposed to bug fixes.

Funny, I had avoided the majority of extraneous options until last month when I thought I'd give the hybrid backup a try. LoL. I guess I'll go back to my old method. Fortunately I guess, my main data is on another brand nas (not internet facing) and the qnap is a backup with only the HBS open.
 
Also, sadly reading about the various vulnerabilities, although not configured in my case, there is no way to "stop" the multimedia console app (at least in the gui). Most of the built in apps can be stopped or removed even, but not MMC. This has bothered me for a while as I like to run as minimalistic as I can and try to completely remove features I don't use. Potential vulnerability is just another reason to be able to stop unused services.
 
and in fact look at a frequent release cycle as a GOOD thing in general,
If you need so frequent releases, then your QA is garbage, or you are doing a very bad job at prioritizing fixes.
 
If you need so frequent releases, then your QA is garbage, or you are doing a very bad job at prioritizing fixes.
I agree with you to some extent, but I'd rather pick through available updates and do my own research on its viability than have nothing to pick through at all.

I am no way saying qnap releases are good quality, not that their release cycle is appropriate, but in general, a company that issues updates is better than one that drops a product the day after it reaches its quota of sales.

In a perfect world, I'd prefer the old "patch" model where you could take security fixes for example, and not feature updates that you didn't care about. Obviously, the all-in-one approach is simpler from a support perspective but there are too many companies that use production clients as unknowing beta testers. QA is not what it used to be, and I've been in software product management for 30 years so I've seen it all.
 
Ok, this morning my QNAP detected it... and I'm always up to date on Firmware & Apps... so I'm really worried how this malware got in...
I ran a second scan with malware remover from QNAP and with an A.V. from my computer. Hopefully my files were not encrypted....

It got detected as MR2102: "Removed vulnerable files or folders. MalwareID: MR2102"
It does not give you any detail about what was removed, or any additional information.

Update I: Apparently after some research it's a false positive, because what malware remover did was
"renaming 7z to 7z.orig, then placing a presumably safer/filtering 7z there. (But the 7z.orig still works, and it wouldn't take much for the hackers to change to using it instead of 7z.)
It also moves the 7z.log to a safe place, where you can look at it (to perhaps recover the unzip password if you've been hacked)."

So the scary MR2102 message this morning was a side-effect of its renaming 7z

Reddit is a great help... bad from QNAP not providing any information....

Update II: Response from QNAP support after claiming no detail about what that log means

Code:
This is a notification that informs the removal of vulnerable old HBS files.
No files of your files should have been removed.
Nothing to worry about.

Update III: They have just released a new firmware 4.5.3.xxxx fixing some other vulnerabilities...
 
Last edited:
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top