back to article Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

Some 62,000 QNAP network-attached storage (NAS) boxes are right now infected with the data-stealing QSnatch malware, the US and UK governments warned today. A joint statement from America's Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC) said the software nasty, first …

  1. Sparkus

    Who leaves unprotected consumer-grade NAS boxen exposed to a direct internet connection.....

    Oh yah, everyone.............

    1. Pascal Monett Silver badge

      I have a Synology, and it refuses anything that is not from the local network.

      Media is disabled, internet access is disabled, FTP is disabled. The only way to access it is by being on the same local network.

      That, plus the fact that the router doesn't accept outside queries either, and I think I have a good foundation for being secure.

      Which, obviously, does not mean I do not pay attention to the firewall on the router, or on the machines I work with.

      I just can't understand people who configure their machines to accept Internet requests without wondering how to ensure that only the "right" people will access their data. Twenty years ago, you could be forgiven for not knowing that some miscreant is just begging for a chance to get at your data. Today, not so much.

      1. Anonymous Coward
        Anonymous Coward

        Cool...

        So the Trojans used to pivot through one of your other devices can narrow down the attack vector quickly.

        I have a plain old Linux box with a massive storage area in it and use only SFTP with non-cached credentials.

        CIFS/SMB storage is exposed the minute you share it. There's a buttload of SMB replay attacks out there, all the hackers need is a pivot. Which usually finds people through email attachments, guests connecting their infected crap to your network, kids downloading dodgy freeware, literally everything on Forced Scourge (Source Forge for those not in the know) and various other devious little nooks on the internet.

  2. robert_swift

    My 6 bay QNAP has been fabulous for the last 15 months or so...

    ...as a door stop!

    no use for anything else after the previous malware infection!

    1. sabroni Silver badge

      Re: no use for anything else after the previous malware infection!

      Didn't the factory reset work?

      1. BeerTokens

        Re: no use for anything else after the previous malware infection!

        Think it's a case of 'Fool me once Shame on you, fool me twice Shame on me.'

    2. Lunatic Looking For Asylum

      Re: My 6 bay QNAP has been fabulous for the last 15 months or so...

      Can I have it :-)

      I'll bung Debian on it and make good use of it.

      I'll even go as far as offering to pay postage and I have a couple of old burnt out UPS you can have to use as doorstops :-)

      1. Sparkus

        Re: My 6 bay QNAP has been fabulous for the last 15 months or so...

        Yah, if it's an intel-based box, there are all kinds of side-loads you can dump onto the thing

  3. BeerTokens

    Just reset it.

    So in a couple of places I have a pair of 8 bay synologys which will would if needed just allow me to reset one, then the other. However the smaller two bay machines are aimed at consumers who will not be equipped to offload all of their data on their NAS to perform the factory reset. Also not everyone uses their nas solely as a NAS my home one is also my NVR. This will require fully setting up from scratch for fear of bringing any remanants from the malware over. All in all a bit of a ball ache for uninitiated and probably the last time they do the sensible thing and keep their data off the cloud.

    Only through buying a ds106 over 15 years (approx) that I have stuck with Synology, QNAP have always been on the list when looking into a new NAS but with so little to tell them apart I stick with what I know.

    1. Lotaresco Silver badge

      Re: Just reset it.

      I have two QNAPs and one Synology the Synology was cheap, doesn't have hot swappable bays and feels cheap - plastic case. It was a pain to install drives on the Synology because it needs to be dismantled to get access to the drive bays. That said it was less than half the price of the QNAPs and works, mostly, just as well. The Synology web interface is prettier but not as capable as the QNAP offering. QNAP has features such as NUT for managing/reporting UPS status that doesn't seem to exist on the Synology. The Synology doesn't report the SATA interface speed for some reason, the QNAP does. It's still possible to load a package manager on the Synology and add your own command-line tools, this feature was removed from QNAPs a couple of years ago.

      Really not much to choose between them. I got the Synology because after upgrading the drives in one of the QNAP to 4x8TB it seemed a shame to just throw away the 4x3TB drives that I had removed. So now I can use the Synology for multimedia storage.

      I recall that setting up rsync to work between QNAP and Synology was a pain, but can't remember why.

  4. Dennis_J

    IPv6 Security Question

    Can someone explain to me if my understanding of IPv6 is right.

    With IPv6 as my local network, my Qnap would effectively be on the internet because there is no NAT function in IPv6.

    My only protection would be obscurity due the quantity of addresses available in IPv6 and I would just have to hope that my Qnap didn't advertise itself or a hacker didn't get lucky?

    If for instance, I had an old PC that needed lots of updates. With NAT on IPv4, I could connect it with reasonable confidence that it will be safe while I do the updates.

    What would be my options on IPv6? As an IT tinkerer with no network training, understanding firewall configurations is difficult, especially as the same problem applies to testing it.

    Is there an off the shelf IPv6 box that would protect local network devices? The PC only needs to be able to respond to addresses that it has initiated connections with and so give me similar protection as NAT.

    I understand that the argument goes that every device should be secure and that the obscurity of so many addresses is security but the reality is that no devices are secure and when I open a web page, generally there can be 100+ servers referenced in scripts that now know my IPv6 address and so can now narrow down the range of my network.

    I would be interested to know if my understanding is wrong and I should step away from my tin foil hat and what advice there is to secure a IPv6 local network to be sure it is as secure as it can be because, as an engineer, crossing my fingers and hoping is very unsatisfactory.

    1. Anonymous Coward Silver badge
      Boffin

      Re: IPv6 Security Question

      The firewall in your router will behave in the same was as it does for NATed IPv4 connections.

      It will reject any unsolicited connection requests from outside (by default; unless you've tinkered with it!)

      The way IPv4 NAT works means that an IPv4 address (32bits) + port number (16bits) gets routed to the local device which initiated the connection, so IPv6 is no less secure anyway (32+16=48bits vs 128bits)

    2. dajames Silver badge

      Re: IPv6 Security Question

      With IPv6 as my local network, my Qnap would effectively be on the internet because there is no NAT function in IPv6.

      NAT isn't a firewall. NAT gives some protection because the logic that maps incoming WAN connections to LAN addresses will normally drop any connection for which there isn't a mapping rule, so if you have no rules set up then all unsolicited WAN packets will be dropped. Any sane router will do that (at least by default) but it's coincidental, and not the purpose of NAT.

      It IS possible to use NAT with IPv6. The IPv6 address space is so large that there isn't any real point in doing do -- there are enough addresses that every computer, every IoT toy, every internet-enabled fridge and cat-flap in the world can have its own IPv6 address -- but it is possible (and some routers do support it).

      Most routers, though -- especially consumer-grade kit -- don't support IPv6 NAT because there's no need for it. They should still offer at least a basic firewall and the ability to reject any unsolicited incoming WAN connections.

      The only real sense in which IPv6 may be less secure than IPv4 is that it is newer and less well understood. The firmware in an IPv6 router will be newer and won't have stood the test of time, so bugs are a possibility -- if it's completely new firmware those bugs may affect IPv4 connections as well as IPv6 ones, of course. This is especially true of budget models with cheaply-developed firmware (but also surprisingly true of more upmarket models).

    3. Trigun

      Re: IPv6 Security Question

      I don't use a QNAP, but I would have thought that unless you've configured an IPv6 address on one of the NICs for the device or you have a DHCPv6 server on your network (quite unlikely), you should be fine. The NIC should self assign the IPv6 version of an IPIPA address called a link local address which is not routable.

      To check this login to your QNAP and check the IPv6 address on the NIC(s). They should only have IPv6 addresses begining with FE80 only.

      https://en.wikipedia.org/wiki/Link-local_address

      Also, as others have said, your router won't allow unsolicited connections and may not even by IPv6 capable (depends how old it is).

      Hope this helps

      1. DevOpsTimothyC

        Re: IPv6 Security Question

        Devices can self assign routable IP's with just IPv6 RA's (Route Announcements). All DHCPv6 does is extend the RA's to provide additional information eg DNS, Domain etc. You can do IP allocation over DHCPv6, but that's only if you want specific IP's that are not related to the mac address

    4. DevOpsTimothyC

      Re: IPv6 Security Question

      As I disagree with the other answers.

      "Qnap would effectively be on the internet because there is no NAT function in IPv6" - Essentially correct

      "My only protection would be obscurity due the quantity of addresses available in IPv6 and I would just have to hope that my Qnap didn't advertise itself or a hacker didn't get lucky?" yes. If there was any malware that phoned home then that obscurity is completely out the window.

      If you have a working IPv6 connection then you probably have a /64 block routed to you. Go to https://www.ripe.net (Don't worry, it's the place that hands out IP addresses to all the ISP's in Europe) In the top right of the screen you should see an IP address. If it's an IPv6 address (has colons in it) can you find that address one on one of the network interfaces on your computer.

      Unless your router (which may also be an IPv4 NAT gateway) has an obvious IPv6 firewall, then you have an open & unfiltered connection that is globally routable. If you have someone that you can trust get them to to try and connect to your ip address. If they can then you're probably not secure

      "Is there an off the shelf IPv6 box that would protect local network devices?" Depends on your internet connection. Does your router / modem have an IPv6 firewall. It would then allow you to restricted what traffic origionated from outside your local network (/64).

  5. Lunatic Looking For Asylum

    I've got a couple of them

    I installed debian on them, it's a bit fiddly without a console.

    Next NAS box I get will be a DIY thing - the QNAP's are good but lack of a console and proprietary motherboard and UI lets them down a bit. They're great for plug and play but to really make best use of them, ditch QNAP's O/S which is a pretty limited Linux.

    1. Evil Harry
      Pint

      Re: I've got a couple of them

      A couple of former colleagues told me they swear by FreeNAS. Or maybe it was swear at FreeNAS.

      We were in the pub and drunk at the time.

      1. Sparkus

        Re: I've got a couple of them

        see also OMV and RockStor as well as FreeNas. OpenFiler may or may not be discontinued or forked elsewhere.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020