QNAP patches critical vulnerabilities that enabled ransomware attacks

QNAP has released multiple updates against vulnerabilities that were actively being exploited. The company recommends users install the updates immediately to protect against the Qlocker and eCh0raix ransomware.

Recently, a large number of QNAP NAS devices have fallen victim to the Qlocker and eCh0raix ransomware attacks, the company says. Attackers managed to break into the devices, move the files on them into a password-protected 7zip archive and demand a ransom to get access to the files back. The amount requested was 0.01 bitcoin, approximately 400 euros. To get in, the attackers exploited three vulnerabilities present on the NAS devices:

CVE-2020-36195 was a vulnerability allowing an attacker to break in using SQL injection through the Multimedia Console and Media Streaming Add-on apps.
CVE-2021-28799 was a vulnerability in Hybrid Backup Sync. It turned out that hard-coded credentials were embedded in the software. Attackers had found out about this and thus had a backdoor to the NAS.
CVE-2020-2509 was a command injection vulnerability in the QTS and QuTS hero operating systems, with which attackers could take over the NAS systems.

Urgent advice to install updates

QNAP has now released updates to its Multimedia Console, Media Streaming Add-on and Hybrid Backup Sync apps, which the company claims protect the systems from ransomware attacks. The vulnerabilities in the operating systems themselves have also been patched. The company strongly recommends that everyone install the latest version of Malware Remover and run that software to scan their NAS just to be sure. QNAP also recommends changing the default port for accessing the user interface from 8080 to something else, and making sure that important data on the NAS is backed up.

Search for solutions for victims

The company says it is still working hard on a solution to remove malware from infected devices. Victims of the ransomware are advised not to turn off their NAS, run a scan with the latest version of Malware Remover and contact QNAP technical support.

Jack Cable, who calls himself a white hat hacker on Twitter, was able to help 50 users decrypt their data. He had found a vulnerability in the attackers’ payment system, writes CyberScoop. The hackers have since fixed the vulnerability, so unfortunately that option is no longer available to any new victims.

Update: it looks like this may have been fixed by the ransomware operators, unfortunately. I apologize if I was not able to get to yours before it was fixed. In total decrypted around 50 keys worth $27k.
— Jack Cable (@jackhcable) April 22, 2021