Operating System:

Published:

23 April 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2021.0098
        Qlocker/eCh0raix ransomware attacks targeting QNAP products
                               23 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          QNAP NAS
Operating System: Network Appliance
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:       Patch/Upgrade

OVERVIEW

        Widespread attacks on QNAP products resulting in Qlocker and eCh0raix 
        ransomware infections are currently being reported by the media [1][2].
        The attacks are being carried out through exploitation of vulnerabilities
        allowing unauthenticated takeover of Internet-facing hosts.
         
        QNAP have published actions to take to secure QNAP NAS products in 
        response to these attacks [3].
        
        QNAP have identified two vulnerabilities related to the attacks:
        
          o "An SQL injection vulnerability has been reported to affect QNAP 
             NAS running Multimedia Console or the Media Streaming add-on." [4]
          o "A hard-coded credentials vulnerability has been reported to affect 
             QNAP NAS running HBS 3 Hybrid Backup Sync." [5]


IMPACT

        The vendor has provided the following information :
                
          o SQL injection vulnerability
            "If exploited, the vulnerability allows remote attackers to obtain 
             application information." [4]
                
          o Hard-coded credentials vulnerability
            "If exploited, the vulnerability allows remote attackers to log in 
             to a device with the hard-coded credentials." [5]


MITIGATION

        QNAP states:
        
          o SQL injection vulnerability
            "To fix the vulnerability, we recommend updating Multimedia Console 
             or the Media Streaming add-on to the latest version. Additionally 
             for devices running QTS 4.3.3 and QTS 4.3.6 updating QTS is highly 
             recommended." [4]
          o Hard-coded credentials vulnerability
            "To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup 
             Sync to the latest version." [5]
        
        QNAP offer the following best practice regarding enhancing NAS security [6].


REFERENCES

        [1] If you have a QNAP NAS, stop what you're doing right now and
            install latest updates.
            https://www.theregister.com/2021/04/22/qnap_nas_ransomware_qlocker_ech0raix/

        [2] Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices
            https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/

        [3] Response to Qlocker Ransomware Attacks: Take Actions to Secure QNAP
            NAS
            https://www.qnap.com/en/news/2021/response-to-qlocker-ransomware-attacks-take-actions-to-secure-qnap-nas

        [4] SQL Injection Vulnerability in Multimedia Console and the Media
            Streaming Add-On
            https://www.qnap.com/en/security-advisory/qsa-21-11

        [5] Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync
            https://www.qnap.com/en/security-advisory/qsa-21-13

        [6] What is the best practice for enhancing NAS security?
            https://www.qnap.com/en/how-to/faq/article/what-is-the-best-practice-for-enhancing-nas-security

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYII5nONLKJtyKPYoAQi2PRAAn0KhIaqoYLW+yrAFL/Khg7c7DkLOlMCP
eX1U/zVqO6/YFETOX8/oPwULDjYaEq+L0AF+iV7XDOczg1WPGw9+rkHNxmxZBeXg
iUgvPusZFcRddQ4zAlDPTqowMTpCCx8O6czdcO9yTvNA4jOM5yTrWab1KkmGgmow
06kTKyRWB+n35ssxi/QBJzipdfWdgHT2bh0Ro33qkp78D1YhIyFja926B35x0AaW
S146HMsfjDCSsTl+FUXTNnuAq+iQ5PPtZhO5Gqm8bG1gMLu5TY6bxholqqaOQZBm
7SVx7mrlM6LUs6OM6vE1Civun5z4dnVyfuvEBX6HdaI8FmuVBe14iFl82Sr8DWVe
rw02o7NiULylBtTUsKNZx6vUdT7QT2khzNZ0hXeLPC6TymKhe9G01hzOXVIEIgUy
i2e8rgnlG4xhoi1RD5IIi73J0tsTiewF6Mik7IRuCPThiKJHV79a4Og8y7mKXCKW
LF35XinALEMpdjYbyqj3f7COpMv0Rj+WFVcgCmJKsjmTYHa+XwHMiO7AXeXk/S/I
UT4OsaplygOMtCNI4T9JTrVYAD5tCuptc0EnFGrSB3iub/cdz9GYgkFU9iDy5Zma
C7DTBZ2TdNKVb+S8G9Q02bCkZQ6z6JXKCNPu3KVdP3IFdk6rhiA/ul0BpBjgAyNF
0O9+9YlX7uo=
=Dxsb
-----END PGP SIGNATURE-----