Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0098 Qlocker/eCh0raix ransomware attacks targeting QNAP products 23 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: QNAP NAS Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade OVERVIEW Widespread attacks on QNAP products resulting in Qlocker and eCh0raix ransomware infections are currently being reported by the media [1][2]. The attacks are being carried out through exploitation of vulnerabilities allowing unauthenticated takeover of Internet-facing hosts. QNAP have published actions to take to secure QNAP NAS products in response to these attacks [3]. QNAP have identified two vulnerabilities related to the attacks: o "An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on." [4] o "A hard-coded credentials vulnerability has been reported to affect QNAP NAS running HBS 3 Hybrid Backup Sync." [5] IMPACT The vendor has provided the following information : o SQL injection vulnerability "If exploited, the vulnerability allows remote attackers to obtain application information." [4] o Hard-coded credentials vulnerability "If exploited, the vulnerability allows remote attackers to log in to a device with the hard-coded credentials." [5] MITIGATION QNAP states: o SQL injection vulnerability "To fix the vulnerability, we recommend updating Multimedia Console or the Media Streaming add-on to the latest version. Additionally for devices running QTS 4.3.3 and QTS 4.3.6 updating QTS is highly recommended." [4] o Hard-coded credentials vulnerability "To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup Sync to the latest version." [5] QNAP offer the following best practice regarding enhancing NAS security [6]. REFERENCES [1] If you have a QNAP NAS, stop what you're doing right now and install latest updates. https://www.theregister.com/2021/04/22/qnap_nas_ransomware_qlocker_ech0raix/ [2] Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/ [3] Response to Qlocker Ransomware Attacks: Take Actions to Secure QNAP NAS https://www.qnap.com/en/news/2021/response-to-qlocker-ransomware-attacks-take-actions-to-secure-qnap-nas [4] SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On https://www.qnap.com/en/security-advisory/qsa-21-11 [5] Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync https://www.qnap.com/en/security-advisory/qsa-21-13 [6] What is the best practice for enhancing NAS security? https://www.qnap.com/en/how-to/faq/article/what-is-the-best-practice-for-enhancing-nas-security AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYII5nONLKJtyKPYoAQi2PRAAn0KhIaqoYLW+yrAFL/Khg7c7DkLOlMCP eX1U/zVqO6/YFETOX8/oPwULDjYaEq+L0AF+iV7XDOczg1WPGw9+rkHNxmxZBeXg iUgvPusZFcRddQ4zAlDPTqowMTpCCx8O6czdcO9yTvNA4jOM5yTrWab1KkmGgmow 06kTKyRWB+n35ssxi/QBJzipdfWdgHT2bh0Ro33qkp78D1YhIyFja926B35x0AaW S146HMsfjDCSsTl+FUXTNnuAq+iQ5PPtZhO5Gqm8bG1gMLu5TY6bxholqqaOQZBm 7SVx7mrlM6LUs6OM6vE1Civun5z4dnVyfuvEBX6HdaI8FmuVBe14iFl82Sr8DWVe rw02o7NiULylBtTUsKNZx6vUdT7QT2khzNZ0hXeLPC6TymKhe9G01hzOXVIEIgUy i2e8rgnlG4xhoi1RD5IIi73J0tsTiewF6Mik7IRuCPThiKJHV79a4Og8y7mKXCKW LF35XinALEMpdjYbyqj3f7COpMv0Rj+WFVcgCmJKsjmTYHa+XwHMiO7AXeXk/S/I UT4OsaplygOMtCNI4T9JTrVYAD5tCuptc0EnFGrSB3iub/cdz9GYgkFU9iDy5Zma C7DTBZ2TdNKVb+S8G9Q02bCkZQ6z6JXKCNPu3KVdP3IFdk6rhiA/ul0BpBjgAyNF 0O9+9YlX7uo= =Dxsb -----END PGP SIGNATURE-----