advertisement


QNAP NAS’s - malware attack.

But you can do a simple scan for open ports using a tool like this one: https://www.ipfingerprints.com/portscan.php - this will show if you have anything open inbound from the internet
I take it ok to have fltered ports?
Also if you have a BT home hub, log in as admin and go to advanced settings, then select 'Firewall', and have a look at the settings there - if there are any inbound open ports they will have been configured there.
Can't see anything much- UPnP on with extended UPnP security. No port forwarding. Standard Comfiguration "Allow all outgoing connections and block all unsolicited incoming traffic. Games and application sharing is allowed."
 
I take it ok to have fltered ports?

..."

Filtered for what? I looked 2 days ago and QNAP didn’t have technical details of the weakness available. Given that, I’d just block all sessions initiated from internet. I’ve never opened mine to internet anyhow, so am only following this vulnerability rather than being truly concerned. If I had any internet initiated capability enabled, I’d block it now pending further detail (maybe it exists already, haven’t checked QNAP for 48 hours or so now?).
 
Isn't the NAS open to the net with Tidal etc?
I switched the secutiry level to intermediate from basic, but couldn't send backups to the cloud, so had to revert.
 
Blocking incoming connections won’t do anything to help or secure things.

Creating VLANs won’t do anything to help or secure things.
 
Filtered for what? I looked 2 days ago and QNAP didn’t have technical details of the weakness available. Given that, I’d just block all sessions initiated from internet. I’ve never opened mine to internet anyhow, so am only following this vulnerability rather than being truly concerned.
Quite. This is what the ipfingerprints.com scan reported. They say:
"filtered:
A port is marked as "filtered" when the packets are sent to that port, however packet filtering (e.g., firewall) prevents the packets from reaching that port."

I have certainly never consciously opened my router to the internet, but I'm not sure whether it is configured so as to prevent any access.
I have tried looking through the advanced settings on the BT homehub and I can't see anything specfic. The firewall configuration page only gives 3 options. Standard Configuration "Allow all outgoing connections and block all unsolicited incoming traffic. Games and application sharing is allowed." The other two options seem to be- allow everything through- or -allow nothing through in either direction.-. Not sure what will happen with the latter but am concerned it will block internet access altogether.
I ran the malware utility on QNAP and it did report removing some files but I'm not sure what and I'm not sure how malware (assuming not false positive) could have got onto my system. Some speculation on QNAP forum that it might have come through an app on the QNAP platform.
My QnAP is an old model which will only run 4.2.6 firmware and will not run the security counselor app.
All of which is a bit troubling. I have run malware removal tool (updated to latest version 3.5.4) repeatedly and it no longer reports any malware files (it still reported two after first running it and removing first lot). I have changed passwords.
Am not sure whether I can configure BT router (and/or the NAS itself) so that no access outside the LAN is possible.
 
I have tried looking through the advanced settings on the BT homehub and I can't see anything specfic. The firewall configuration page only gives 3 options. Standard Configuration "Allow all outgoing connections and block all unsolicited incoming traffic. Games and application sharing is allowed." The other two options seem to be- allow everything through- or -allow nothing through in either direction.-. Not sure what will happen with the latter but am concerned it will block internet access altogether.

A firewall normally works by using what is called a 'state or connection table' when an application makes an outbound connection to the internet the state table records this and allows the return traffic to come back in (as it is generally trusted because you let it go out)

The firewall (generally) blocks all (unsolicited) incoming traffic from the internet if it doesn't have an associated outbound session and this stops nasty people on the internet accessing your internal/home network.

The problem is that the QNAP vulnerability is a call home function so it makes an outbound connection to a control server to get instructions on what to do (denial of service etc) As your firewall allows outbound connections you won't be able to stop it as the virus developers are quite clever and will use port 80 or 443 (http/https) ports to make their connections so the traffic looks like normal web browser stuff.

You could black list the IP address the Qsnatch is connecting to but the app will probably be using a dynamic address which allows the IP to change periodically.

Personally I would install/reinstall the latest firmware and disconnect it from the network until it is resolved by QNAP.
 
This is the reason I gave up streaming IT problems . The only infection you get from a turntable is a bit of dust on the needle which is fixed very quickly.
 
Personally I would install/reinstall the latest firmware and disconnect it from the network until it is resolved by QNAP.
All undertstood, but a the moment I don't know how to disconnect it from the internet without disconnecting it from the LAN. (The latter would mean no music). Any idea how I can do that?
 
All undertstood, but a the moment I don't know how to disconnect it from the internet without disconnecting it from the LAN. (The latter would mean no music). Any idea how I can do that?
If you have a firewall with the capabilities, perhaps block all traffic originating at the NAS IP address(es) from going out to the Internet. However I don't know if that will impact its function.

If the NAS has static IP address(es) also block all incoming traffic to its IP address(es) - but I think NAT at the firewall will stop that anyway unless specially configured to forward incoming traffic (if so, remove that forwarding).
 
All undertstood, but a the moment I don't know how to disconnect it from the internet without disconnecting it from the LAN. (The latter would mean no music). Any idea how I can do that?

if you’ve got an old BT homehub with no granular firewall controls, i think you might be able to block outbound internet access using access rules - see http://bt.custhelp.com/app/answers/detail/a_id/11372/~/how-do-i-use-bt-access-controls?

what version of homehub are you running?
 
Okay, I’m back from a few days in Brussels and luckily I did turn off my QNAP nas before heading away (which I don’t always do).

Most of this thread about filtering goes over my head but (when n) the QNAP tells me that there are updates available etc. so I presume it can be “seen” on the internet.

What is the best thing for me to do to when turning on the NAS again?

Thanks,

.sjb
 
Okay, I’m back from a few days in Brussels and luckily I did turn off my QNAP nas before heading away (which I don’t always do).

Most of this thread about filtering goes over my head but (when n) the QNAP tells me that there are updates available etc. so I presume it can be “seen” on the internet.

What is the best thing for me to do to when turning on the NAS again?

Thanks,

.sjb
If you’re worried you can manually download the latest OS and security package/app on a PC, disconnect the router from the phone socket, power up the QNAP and install the OS and Apps, the get back online.
 
if you’ve got an old BT homehub with no granular firewall controls, i think you might be able to block outbound internet access using access rules - see http://bt.custhelp.com/app/answers/detail/a_id/11372/~/how-do-i-use-bt-access-controls?

what version of homehub are you running?
I think its a home hub 3. I will try access rules. I'm in despair because after a day or so clear, the malware tool then reported more files yesterday. Am wondering about whether to do a factory reset.
 
I think its a home hub 3. I will try access rules. I'm in despair because after a day or so clear, the malware tool then reported more files yesterday. Am wondering about whether to do a factory reset.

You don't have to do a factory reset, just reinstall the latest firmware and it overwrites without losing any data etc.

The guidance from QNAP is to unplug the device from the network until the vulnerability is patched, I'd follow this advice unless people have a UTM or application inspection firewall.
 
You don't have to do a factory reset, just reinstall the latest firmware and it overwrites without losing any data etc.

The guidance from QNAP is to unplug the device from the network until the vulnerability is patched, I'd follow this advice unless people have a UTM or application inspection firewall.
Thanks. I've blocked the nas from the internet, reset the firmware, changed the password, run the malware remover several times and am now hoping i've cracked it.
If that doesn't work I will probably just pull the plug and rethink my network storage.
 
Why not consult the QNAP homepage to instructions? And being connected to the internet WITHOUT adequate protection, wow, that's clever.
 
And being connected to the internet WITHOUT adequate protection, wow, that's clever.
Not sure I'm following your point. Presumably you've identified the infection and reinfection vector which has so far eluded everyone on the QNAP forum and apparently QNAP itself? It seems only fair to share, rather than waiting for everyone else to catch up.
 
Taipei, Taiwan, November 7, 2019 - QNAP® Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to a recent report and media coverage that the QSnatch malware is targeting QNAP NAS and attempting to obtain access. QNAP has updated its Malware Remover app for the QTS operating system on November 1 to detect and remove the malware from QNAP NAS. QNAP also released an updated security advisory on November 2 to address the issue. Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for QNAP NAS security enhancements. They’re also detailed in the security advisory.

Furthermore, QNAP clarifies that it has never recommended a reinitialization to purge the malware from QNAP NAS. Users are advised to take actions listed in the security advisory or, alternatively, contact QNAP for technical assistance. Instructions for creating a support request can be found here.

QNAP would like to acknowledge NCSC-FI of Finland and CERT-Bund of Germany for their research and assistance during the investigation of the issue.
 


advertisement


Back
Top