The manufacturer of network devices Qnap has discovered the cause of attacks by the encryption Trojan Qlocker and has released security updates. That happened very late: There are now many indications that the masterminds have stopped their malware campaign.
Qlocker has been targeting network storage (NAS) from Qnap since April 2021. Since then, the NAS manufacturer has been working on a solution. The malware attacked systems, locked data in password-protected 7zip archives and demanded a ransom.
Qnap has now updated a message from April and states that a “critical” security vulnerability (CVE-2021-28799) in Hybrid Backup Sync (HBS) is the cause of the attacks. This is an account with hard-coded access data that the attackers used to gain access to systems over the Internet.
As indicated by a warning message, the following HBS versions are protected against such attacks:
- ab QTS 4.5.2: HBS 3 v16.0.0415
- ab QTS 4.3.6: HBS 3 v3.0.210412
- ab QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411
- ab QuTS hero h4.5.1: HBS 3 v16.0.0419
- ab QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419
HBS 1 and 1.3 should not be affected by the vulnerability.
Qlocker paints the sails
The security patches come very late: After extorting hundreds of users, the criminals are said to have collected a ransom of $ 350,000 within a month.
Now victims are reporting that the payment websites are no longer available. Everything indicates that the masterminds have ended the Qlocker campaign. Even victims willing to pay could no longer pay the ransom.
Secure the NAS
In general, network storage should not be made accessible from the Internet. This increases the area of attack many times over. If there is no other way, users should protect access with strong passwords and a firewall, for example. NAS owners should also delete suspicious accounts and keep the system up to date. Qnap has compiled further safety tips in an article.
Qnap has also released security updates for the NAS operating systems QTS and QuTS hero, which close a security hole (CVE-2021-28798, “high”). According to a warning message an attacker could manipulate files after a successful attack.