Search This Blog

Showing posts with label QNAP. Show all posts

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

Zyxel Updates NAS Devices to Fix Potential Security Flaw

Shaposhnikov Ilya alerted about a major security vulnerability, targeting Zyxel's network-attached storage (NAS) device. The vulnerability was identified as CVE-2022-3474 and the patches for the same were released. The vulnerability officially described as a 'format string vulnerability' affects Zyxel NAS326 firmware versions before V5.21(AAZF.12)C0 and has a CVSS score of 9.8/10.

An attacker could take advantage of the issue by sending specially created UDP packets to vulnerable products. The firm said in an alert that a successful flaw exploit might allow a hacker to run whatever code they want on the vulnerable device.

Zyxel provided security upgrades in May 2022 to address a number of vulnerabilities impacting a variety of products, including firewall, AP, and AP controller products.

The following versions are affected by the flaw:
  • NAS326 (versions before V5.21(AAZF.11)C0)
  • NAS540 (versions prior to V5.21(AATB.8)C0), and
  • Prior to V5.21(ABAG.8)C0, NAS542
This revelation follows Zyxel's July patching of the CVE-2022-30526 and CVE-2022-2030 vulnerabilities impacting its firewall products, which affect local root access and authenticated directory traverse.

The four vulnerabilities with the command injection bug in some CLI commands classified as CVE-2022-26532 being the most critical are as follows: 
  • CVE-2022-0734: A cross-site scripting vulnerability was found in the CGI program of various firewall versions, which could let an attacker use a malicious script to access data stored in the user's browser, like cookies or session tokens.
  • CVE-2022-26531: Several erroneous input validation problems were discovered in several CLI commands of some firewall, AP controller, and AP versions that might let a local authorized attacker bring down the system or trigger a buffer overflow through the use of a specially crafted payload.
  • CVE-2022-26532: Certain firewall, AP controller, and AP versions contain the 'packet-trace' CLI command that contains a command injection vulnerability that might allow a local, authorized attacker to execute arbitrary OS instructions by providing specially crafted inputs to the function.
  • CVE-2022-0910: In the CGI program of various firewall versions, an authentication bypass issue resulting from a deficient access control mechanism has been discovered. An attacker may be able to use an IPsec VPN client to switch from two-factor verification to one-factor verification due to the bug.
A few days after QNAP issued a warning about a fresh wave of Deadbolt ransomware attacks aimed at its NAS consumers, Zyxel released its caution. 

In earlier assaults that exploited another critical-severity vulnerability resulting in remote code execution, a Mirai botnet variant targeted Zyxel NAD products.

Remote code execution flaws in NAS devices, which are frequently used to store massive amounts of data, might easily result in complete device compromise. NAS devices are frequently the target of ransomware assaults. 

QNAP NAS servers attacked by Checkmate ransomware


A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 


The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.

QNAP NAS Devices Struck by eCh0raix Ransomware Attacks


The ech0raix ransomware has resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems this week, as per user complaints and sample uploads on the ID Ransomware site.

ech0raix (also known as QNAPCrypt) began attacking QNAP customers in many large-scale waves in the summer of 2019 when attackers brute-forced their entry into Internet-exposed NAS equipment. Since then, victims of this ransomware strain have discovered and reported numerous further campaigns, in June 2020, May 2020, and a large wave of assaults targeting devices with weak passwords that began in mid-December 2021 (just before Christmas) and gradually declined towards early February 2022. 

A fresh series of ech0raix assaults have been validated by an increase in the amount of ID Ransomware submissions and users reporting getting affected on the BleepingComputer forums, with the first hit on June 8. 

Although just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only a subset of victims will utilize the ID Ransomware service to detect the ransomware that encrypted their devices. 

While this ransomware has been used to encrypt Synology NAS systems since August 2021, this time victims have solely reported attacks on QNAP NAS systems. The attack vector employed in the current ech0raix campaign is unknown until QNAP releases additional information on these attacks. 

How to Protect NAS Against Attacks 

While QNAP is yet to give a warning to consumers about these assaults, the firm has already recommended users secure their data from potential eCh0raix attacks 
  • by using stronger passwords for administrator accounts
  • activating IP Access Protection to protect accounts from brute force assaults, 
  • and preventing the use of the default port numbers 443 and 8080 
In this security advice, QNAP gives extensive step-by-step instructions for changing the NAS password, enabling IP Access Protection, and changing the system port number. 

Customers are also advised by the Taiwanese hardware manufacturer to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS systems to Internet-based assaults. One can also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also urged users on Thursday to protect their devices against continuous DeadBolt ransomware threats. 

"According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series," the NAS maker stated.

"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet."

New DeadBolt Ransomware Attacks Have Been Reported by QNAP


QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug


The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.

QNAP : New Crypto-Miner Targeting the NAS Devices


A new variant of crypto-mining malware is affecting QNAP's network-attached storage (NAS) devices, as per a new security advisory posted by the Taiwanese hardware firm QNAP. 

The firm did not reveal how the devices were infected, but it did state that once the malware had established a grip on affected systems, it would build a process called [oom reaper] that would consume about 50% of the CPU's entire use. 

QNAP stated, “This process mimics a kernel process but its PID is usually greater than 1000.” 

While the infections are being examined, QNAP advised customers to protect themselves by updating their devices' operating systems (known as QTS or QuTS) and all QNAP add-on software. Furthermore, the business advised users to change all of their NAS account passwords because it was unclear whether the attackers leveraged a vulnerability or just brute-forced an internet-connected device that used a weak password. 

QNAP advised customers to reboot their devices and download and install the company's "Malware Remover" tool from the device's built-in App Center to eliminate the infection. The company's advisory provides step-by-step instructions on how to complete all three procedures above. 

Malware attacks on QNAP systems in the past 

However, in retrospect, the Taiwanese corporation is being utilized by malware gangs to attack its devices. Ransomware strains such as Muhstik, Qlocker, eCh0raix, and AgeLocker have all targeted QNAP devices in recent years, with hackers obtaining access to client NAS systems, encrypting data, and then demanding minor ransom payments. 

Crypto-mining malware has been uncommon, however, it has been seen in the past. QNAP NAS devices were targeted by the Dovecat crypto-mining malware in late 2020 and early 2021, which exploited weak passwords to gain access to QNAP systems. In 2019 and 2020, the QSnatch malware targeted the company's NAS devices, infecting roughly 62,000 systems by mid-June 2020, as per CISA and the UK NCSC. 

QSnatch did not have crypto-mining functionality, but it did have an SSH password stealer and exfiltration capabilities, which were the primary reasons that national cybersecurity agencies in the United States, the United Kingdom, Finland, and Germany became involved and issued national alerts about the botnet's operations.

Beware of eCh0raix Ransomware Attacks, QNAP Warns Customers


QNAP warned its users of an actively exploited Roon Server zero-day vulnerability and eCh0raix ransomware attacks that are targeting its Network Attached Storage (NAS). The Taiwanese vendor claimed that it has received reports of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

" The eCh0raix ransomware has been reported to affect QNAP NAS devices," the company said. Devices using weak passwords may be susceptible to attack. QNAP urged customers to "act immediately" to protect their data from potential eCh0raix attacks by: 

• Using stronger passwords for your administrator accounts. 

• Enabling IP Access Protection to protect accounts from brute force attacks. 

• Avoiding using default port numbers 443 and 8080. 

However, QNAP didn't mention how many reports it received from users directly affected by eCh0raix ransomware in the last weeks. QNAP also issued another security advisory to warn of an actively exploited zero-day vulnerability impacting Roon Labs’ Roon Server 2021-02-01 and earlier versions. 

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier. We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” reads the advisory.

QNAP also provided the necessary safety measures by which users can disable Roon Server on their NAS:

1. Log on to QTS as administrator and open the app Center and then click. A search box appears.

2. Type "Roon Server" and then press ENTER. Roon Server appears in the search results.

3. Click the arrow below the Roon Server icon. 

4.  Select Stop. The application is disabled.

Unfortunately, QNAP has been on the target list of threat actors for quite some time. QNAP devices were previously targeted by eCh0raix ransomware (also known as QNAPCrypt) in June 2019 and June 2020. 

A massive Qlocker ransomware campaign also hit QNAP devices starting mid-April, with the threat actors behind the attacks making $260,000 in just five days by remotely encrypting data using the 7zip archive program.

Ransomware Qlocker Encrypts QNAP Devices with 7Zip


A huge ransomware campaign seems to be underway to attack QNAP devices globally and customers can now locate their files in password-protected 7zip archives. The ransomware is known as Qlocker and on 19 April 2021, it was aimed at attacking QNAP computers. Ever since the help platform of bleeping computers has had enormous development, and the victims' requests have increased in ID-Ransomware. 

However, as per the victims in the Qlocker support department of Bleeping Computer, hackers use 7-zip to transfer files to password-protected archives on QNAP computers. During locking of the files, multiple 72 processes are displayed on the QNAP Resource Monitor, which can be executed on the 7zip command line. Once ransomware is completed, files of the QNAP computer will be saved in a password-protected 7-zip file with a.7z extension. Victims must enter the password identified by the perpetrator only to retrieve those archives. 

As soon as one has encrypted the QNAP devices, they then have a !!!READ ME.txt ransom note with a special client key to sign on to the Tor ransomware payment platform. All victims are expected to pay Bitcoins of roughly 0.01, which is around $557.74, from the Qlocker restitution notes shown to get a password for their archived data. After payment is made and an invalid Bitcoin Tax ID has been entered, a 7Zip archive password will be displayed on the Tor Payments website. This password is exclusive to the victim that cannot be used on computers of all the other victims. 

On April 22, a security investigator, Jack Cable, announced a bug found in the Qlocker Tor platform that allows users to freely retrieve their 7zip passwords. This bug could allow victims to obtain a Bitcoin transaction ID from someone who has previously paid but changed it slightly. When the modified transaction ID was sent to the Qlocker Tor site, the payment was acknowledged, and the victim's password was displayed. 

Jack Cable also helped victims secretly recover their passwords and Emsisoft arranged to build a support system to further exploit this vulnerability. Unfortunately, the ransomware developers took it and patched it an hour after they heard of the error. There is no way to download files without a password that is not available for free anymore at this stage.

QNAP has lately solved critical vulnerabilities which enable a mobile player to access a device completely and to run ransomware. 

The following descriptions were found for these two vulnerabilities by QNAP on 16 April: 
CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On 

"QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices," QNAP stated in a security advisory.

Beware of Ongoing Brute-Force Attacks Against NAS Devices, QNAP Warns


Taiwanese firm, QNAP has warned its clients of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urged to strengthen their devices’ security by changing their passwords and default access port number, and disabling the admin account.

The company warned its customers by stating, “recently QNAP has received multiple user reports of hackers attempting to log into QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality. ”

If threat actor manages to guess the right password then they are able to secure full access of the targeted device, allowing them to exfiltrate confidential documents or install malware. If the hackers are unable to brute-force their way in, the NAS devices’ system logs will mark the attempts and log them with ‘Failed to login’ warning texts.

To protect their devices from ongoing attacks, customers have to enhance NAS security by changing the default access port number, implementing password rotation policies, and disabling the default admin account. Additionally, since the attack is only viable on Internet-facing NAS devices, QNAP recommends customers don’t display their devices on public networks.

Firstly, customers have to create a new system administrator account before disabling the admin account. If the administrator account on QNAP NAS devices is running on QTS 4.1.2 then the following steps will disable the default admin account:

• Go to Control Panel > Users and edit the ‘admin’ account profile.
• Tick the ‘Disable this account’ option and select ‘OK’.

Additionally, customers can also configure the NAS device to automatically block IP addresses behind several numbers of troubled login attempts. QNAP has also published a checklist to secure their customers’ device and protect their data:

• Remove unknown or suspicious accounts from the device 

• Download QNAP MalwareRemover application through the App Center functionality 

• Change all passwords for all accounts on the device
• Set an access control list for the device (Control Panel > Security > Security level)