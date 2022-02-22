Geekzone: technology news, blogs, forums
QNAP and Asustor NAS vulnerabilities
freitasm

BDFL - Memuneh
73719 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#293936 22-Feb-2022 22:05
From CERT NZ today (QNAP and Asustor NAS vulnerabilities exploited to deploy ransomware | CERT NZ):

 

 

Vulnerabilities in QNAP and Asustor Network Attached Storage (NAS) devices are being actively exploited to deploy ransomware. The encrypted files have a ‘.deadbolt’ extension.

 

QNAP has released updates for the affected software. CERT NZ advises all organisations with QNAP NAS devices to update and then apply all other software updates.

 

Both QNAP and Asustor NAS devices are being actively targeted by attackers intending to deploy ransomware.

 

QNAP NAS devices that are internet exposed and running QTS and QuTS operating systems, or add-ons with the following versions are affected:

 

QTS 5.0.0.1891 build 20211221 and later
QTS 4.5.4.1892 build 20211223 and later
QuTS hero h5.0.0.1892 build 20211222 and later
QuTS hero h4.5.4.1892 build 20211223 and later
QuTScloud c5.0.0.1919 build 20220119 and later

 

Asustor devices that are internet exposed and running ADM operating systems including, but not limited to, the following models:

 

AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T

 


If you have not been breached and still need to have the NAS running, make sure the following has been done:

 

  • For Asustor devices disable EZ-Connect (service for remote access).
  • Disable SSH.
  • Ensure that the device is not exposed to the internet, particularly the web interface or file shares.
  • If the device is clear of ransomware, update the operating system and all installed add-ons.

If in doubt, contact your local technical support for further advice.

 

If you have been compromised with ransomware, do not update your NAS device until it is clean of ransomware

 




mdav056
533 posts

Ultimate Geek

Subscriber

  #2875139 25-Feb-2022 22:16
Had an email from ASUSTOR a couple of days ago about this, just got around to dealing with it, but too late :(  0.03 bitcoin.

 

AS1002T V2.

 

Anyone else got it?  I've contacted ASUSTOR and await developments.  Anyone heard from them yet?




gml

JimmyH
2729 posts

Uber Geek


  #2875204 26-Feb-2022 10:00
I don't think so. I have two Asustor NASes (608T and 6510T). As soon as I saw coverage that this attach was a thoing, I powered them both down. And they will stay powered down until there is a tested fix available. I have backups, but they are spread over a range of hard drives and optical disks and go back 10+ years. There's no way I want to be recovering 40+ TB that way unless there is no alternative whatsoever.

 

I have been playing around with my router settings to see if I can do something to reduce the risk. Some routers (e.g., the BT models in the UK) appear to have a nice setting where the admin can select a device, and enable a check box to deny it internet access of any type, while still having it work normally on the local network. Sadly mine (Spark Smart Modem) doesn't appear to have an equivalent setting - at least as far as I can determine?

 

Memo to self: buy some large capacity external disks and re-do backups!

mdav056
533 posts

Ultimate Geek

Subscriber

  #2875212 26-Feb-2022 10:08
27 pages of mostly useless stuff here ASUSTOR Community Forum • View topic - Deadbolt ransomware

 

Actually, I was slow in doing anything when I got the email from asustore because I rather doubted its legitimacy, it looked rather like the sort of email I shouldn't open...




gml



Stu

Stu
Hammered
6396 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2875215 26-Feb-2022 10:15
My AS6604T is usually sleeping. It's not open to outside access anyway, at the moment.

I woke it up with the ethernet cable disconnected, and then just connected the laptop directly to the NAS to check everything was off and change ports. It's sleeping again until I can get around to looking in to it further.

I did read a suggestion that Plex server may have been a vector, but not confirmed.




1101
3005 posts

Uber Geek


  #2876111 28-Feb-2022 09:52
Ive had to deal with Several Asustore NAS's on different sites

Some unaffected, others got hit & all data encrypted .
Luckily , all had backups running dayly & backups were unaffected

 

Asustor has released patched bios .

The question has to be asked, if hackers could so easily find security holes, WHY DIDNT ASUSTORE FIND & PATCH THESE SECURITY ISSUES
Another instance of release hardware, then forget & move onto the next hardware release

Talk is cheap
"In response to the increasing amounts of different types of ransomware. ASUSTOR has committed to an internal review of policies and will increase efforts to monitor and eliminate potential hazards. ASUSTOR remains committed to strengthening network security while continuing to provide solutions that make protection of data and proper backups easy."

 

 

Tinkerisk
1740 posts

Uber Geek


  #2876204 28-Feb-2022 12:30
My QNAP is a pure NAS for backups only linked via a heavily secured 10GbE storage bus. It awakes on a schedule, initiates back-ups, goes back to sleep and has no further gizmo services. A possible attack has to pass >5 external and internal instances to make it to the final data - including a physical gap offline. I’d never say it‘s not possible, but not too easy. ;-)




mdav056
533 posts

Ultimate Geek

Subscriber

  #2879510 5-Mar-2022 21:16
I decided to deal to my 1002T V2 today, reconnected the drive, and as I thought, thousands of my files had the .deadbolt modification.  BUT I discovered that these changed files were copies of the original files rather than changes to the original files -- all the originals were still there and openable!  So after updating ADM, I simply did a DOS Del /S X:\*.deadbolt -- which took a log time! And then all was good.

 

Maybe I was just lucky, or maybe it was to do with my having set up the NAS as drive X.  Whatever, it is worth checking this before doing anything more serious.




gml



michaelmurfy
/dev/ttys0
10926 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2879512 5-Mar-2022 21:40
@mdav056 You got very very lucky.

BACKUP NOW! Then factory reset your NAS and format the drives if you can. Treat the NAS as fully compromised currently.




networkn
27145 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2879516 5-Mar-2022 22:37
michaelmurfy: @mdav056 You got very very lucky.

BACKUP NOW! Then factory reset your NAS and format the drives if you can. Treat the NAS as fully compromised currently.

 

Follow this advice immediately. 

 

Hopefully, you don't but if you do reuse passwords, anything you use on that NAS that is similar or the same to anything else you use, should be reset to unique passwords. 

 

 

DS248
1557 posts

Uber Geek


  #2879518 5-Mar-2022 22:43
Ouch.  Only just discovered this.  Have two QNAP's (old TS-453 Pro, new TS-653D).  Fortunately neither appears to have been affected.  Old one was not up to date but has nothing publicly facing.  Only started setting up the new NAS on 24 Feb (2 days after the CERT NZ advisory) and is fully up to date.

 

When fully set up will run the old one purely as periodic backup, similar to @Tinkerisk.  Alas sans the 10GbE link :(.

Tinkerisk
1740 posts

Uber Geek


  #2880001 7-Mar-2022 03:29
DS248:

 

Alas sans the 10GbE link :(.

 

 

It‘s an 10GbE link but limited to approx. 5-6GbE due to the PCIe shared QNAP interface layout (which was known to me before I bought it).




- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: HA server cluster, 95TB storage capacity on premise
- IoT:   zigbee, tasmota, BidCoS, LoRa, WX sensor suite, IR
- 3D:    two 3D printers, 3D scanner, CNC router, laser cutter

