back to article Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet

Taiwanese NAS maker QNAP has admitted its devices are affected by mysterious malware that alters hosts files on infected boxen following The Register's report. In a security advisory published yesterday, QNAP told its customers: "A recently reported malware is known to affect QNAP NAS devices. We are currently analyzing the …

  1. Captain Scarlet Silver badge
    Coffee/keyboard

    hmm

    I do wonder if its related to outdated firmware or apps, it would be nice to implement an auto update of firmware like you can with the store apps (Not enabled by default!). Also "Network Access Protection" I feel should also be on by default.

    QNap have been pushing out more security related apps, such as Security Counciler (Although I found it would not run on a schedule), although as mentioned some defaults services are really not required. Would also be nice for more than McAfee to be available from their store.

  2. Korev Silver badge
    FAIL

    New year?

    QNAP did apologise for not responding when we asked them for comment about the malware last week, reasonably pointing out that they were on holiday for Chinese New Year. ®

    WTF? The have millions of customers with compromised NASes and they can't seem to be able to be able to issue and advisory or even communicate with the media. If I was a QNAP customer I wouldn't regard that as "reasonable".

    1. Captain Scarlet Silver badge
      Stop

      Re: New year?

      Millions, where is this from.

      The last time I check about 30 users on QNAP's forum had posted in a poll that they had the issue and another where 50 or so in another thread. Where is the other 900 odd thousand?

      1. Wellyboot Silver badge

        Re: New year?

        Most of the other 900k are blissfully ignorant of the unfolding fubar as they don't read the Reg. and only go near QNAP admin once in a blue moon.

        1. Headley_Grange Silver badge

          Re: New year?

          "and only go near QNAP admin once in a blue moon." - and when they do they remember that the reason they keep away from it is that it's a lumbering mess.

        2. Captain Scarlet Silver badge
          Coat

          Re: New year?

          hmm actually a very good point, although as far as I am aware very few people actually know what a NAS device is let alone have access to one. I can see a million NAS devices from all makes being out there, but not from one particular make.

        3. phuzz Silver badge

          Re: New year?

          I checked ours as soon as I read the article. It's not affected. Accordingly I didn't bother to post anything, and I'd guess neither did most people in the same position.

          If you see ten people on a forum complaining about a problem, all it means is that those people have the problem, not that everyone does.

      2. Anonymous Coward
        Anonymous Coward

        Re: New year?

        Hypothetically, if (and I have strong suspicions that this is the case based on what has to be fixed) the compromised QNAP devices are being compromised by a remote attacker and the issue doesn't exist in all firmware releases, the "millions of QNAP users" becomes thousands of QNAP users running firmware releses X.XX.XX to Y.YY.YY with service ZZZ exposed to the Internet". Service ZZZ is likely to be inbound HTTP/HTTPS from any Internet address.

        If you restrict access from the Internet to your QNAP, you are likely to be OK.

        This doesn't excuse QNAP's current response that seems a little inadequate, but then again, this isn't their typical support request so it may take a while for them to realise these aren't one off events caused by people installing fake updates (still possible) or users making devices accessible from the internet with default or weak admin credentials (also possible but based on some of the affected users in forums, they seem pretty technically aware).

        1. irksum
          Alert

          Re: New year?

          "If you restrict access from the Internet to your QNAP, you are likely to be OK"

          Do either of the follow qualify as restricting access?

          If you use QNAPCloud to access your QNAP NAS remotely then you'll either have enabled uPnP on your router or have (as I have) opened port 443 and directed it to your QNAP.

          1. Baldrickk Silver badge

            Re: New year?

            That sounds more like providing access...

          2. BlartVersenwaldIII
            Pirate

            Re: New year?

            I was wondering if anyone knew of the attack vector; I didn't see any mention of it in any of these pages nor (most worryingly) QNAPs advisory.

            I'd be willing to bet money on this being due to an exploit in a net-facing service that UPnP helpfully allowed through.

            Disclaimer: I've not used a QNAP at home for 6yrs or so (went back to building my own) but the seeming idea of automatically trying to punch holes in the firewall to allow external access was one that struck me as stupid; not long afterwards, a bunch of synology systems were exploited by a bug in apache that resulted in lots of systems being remotely pwned; including that of my mate - on closer inspection, apache was configured to run as root (!) which reinforced my decision to stick to BYO+tinfoil hat in the future. Hopefully they've improved matters since but IME security is frequently way down on the agenda.

    2. david 12 Bronze badge

      Re: New year?

      OK, let me rephrase that for you: "We didn't see your email request because Taiwan was shut down at the time."

  3. DontFeedTheTrolls
    Happy

    I've had a Qnap NAS for ~8 years now, it's been reliable and the firmware was being updated regularly until relatively recently. I suspect there are many thousands of users out there in a similar situation probably with even older hardware.

    I wonder if Qnap will be nice and will release an updated firmware for the older devices (if that's the required fix) or if they'll take the Apple route of "yeah, we're not going to fix the older versions you'll need to buy a new device if you want the fix"

    Go on Qnap, be nice

    1. Captain Scarlet Silver badge

      It'll be the buy a new one, check their EOL page with your model number and it should tell you if its still supported

      https://www.qnap.com/en/product/eol.php

    2. Anonymous Coward
      Anonymous Coward

      FreeNAS upgrade

      If Qnap does decide you're unsupported, maybe upgrade to one of these?

      https://www.ixsystems.com/freenas-mini/

      1. Anonymous Coward
        Anonymous Coward

        Re: FreeNAS upgrade

        You must work for the company as no one in their right mind would recommend these!

        There are many other options including used Supermicro systems that can be had for under $800 with 36 bays off EBAY. that support 12 TB drives (I bet when I get my 16 TB drives they work in this unit as well). Firmware updates for Intel Management Engine and for Spectre, etc.

        Besides - they have VERY poor ratings on Amazon for noise and heat......

        1. Anonymous Coward
          Anonymous Coward

          Re: FreeNAS upgrade

          > You must work for the company as no one in their right mind would recommend these!

          What the.... ?

          FreeNAS is very highly rated, including by reviewers here on TheRegister.

          If you don't like that particular form factor, then sure... but for a home/Qnap user, it seems appropriate as it's not something they have to build themselves.

      2. Down not across Silver badge

        Re: FreeNAS upgrade

        I prefer HP Microserver with nas4free myself. Or if 4 bays is not enough, then eBay is full with quite decent second hand systems with more bays.

    3. Headley_Grange Silver badge

      Older Devices

      My TS410 is about 8 years old and they are still pushing updates even though it dropped off the supported devices list a couple of years ago.

      I just checked the hosts file and it looks OK, but I'm one of those scaredy cats that won't open it up to the outside world - mainly because I don't think I know what I'm doing.

      1. NateGee

        Re: Older Devices

        I've just checked the hosts file on my TS451 and it's clean as a whistle. Like Headley, I don't open mine up to external access at all. If I need to access something on it when I'm not at home then I'll just VPN in and get the file that way.

    4. Mark 65 Silver badge

      Don't hold your breath. If it's 8 years old it's likely off the support list so you're on your own. QNAP don't care. I'd advise installing Debian on it with openmediavault and webmin. It'll be rock solid and patched.

  4. RobinCM

    Multiple problems?

    As the person who's forum post is quoted in this latest Reg article, I think I might be suffering from a different, possibly older problem.

    Several of the obfuscated .sh files I found were dated back in August. When the NAS was available on the internet. It stopped being directly visible around October, instead only allowing access via myqnapcloud.

    Another interesting thing is that I wasnt running the latest firmware, but I'm pretty sure I would have checked it over the last few months via the admin web console. Along with this, the auto update check told me there was no new firmware available, when actually there was. I manually downloaded and updated the firmware the other day. Didn't fix the "wrong architecture" errors though.

    Somebody from qnap support has apparently "delete[d] malware in the NAS QTS system" so I'll see later tonight if it's any healthier.

    It is a few years old now but is apparently supported until some time in 2020. I just don't know if I trust it anymore. The whole point of having it was to get access to my stuff from anywhere with the minimum of hassle.

  5. Anonymous Coward
    Anonymous Coward

    Your NAS is still infected

    My NAS was/is also infected.

    Everything was up-to-date, only port 443 was open to the world, nothing else.

    Myqnapcloud and Cloudlink was enabled. (everything was always set to private) Most of the apps were disabled, but Music Station and Photo Station not. Passwords were long and secure.

    Malware Remover cleaned a lot of things, but did not clean everything.

    The derek_be_gone script does much more, but it does not clean everything.

    A lot of scripts must be still infected, I tried to clean things manually, but my crontab is always rewritten. My hosts file is clean, my uLinux.conf is clean, but the NAS is still infected.

    QNAP IS NOT ABLE TO SOLVE THIS PROBLEM!

    I submitted a Help Request, but they can not help.

    The bad news:

    If your NAS was infected, IT IS STILL INFECTED, but you probably don't know about it.

    99% of the people do not know, that their NAS is infected.

    This problem is huge, people just do not realise how big it is:

    - all your data has been stolen (probably)

    - all your passwords have been stolen (probably)

    - there must be a backdoor, your NAS is probably part of a botnet

    DO NOT BUY A QNAP NAS!

    Do not use your Qnap NAS as advertised.

    Do not open any ports to the internet.

    Do not use myqnapcloud and cloudlink.

    Do not use the multimedia functions.

    IT IS TIME TO PANIC!

    1. sitta_europea

      Re: Your NAS is still infected

      Quote: "IT IS TIME TO PANIC"

      No, it's time to find out what's going on. There must be lots of people reading who have the skills to do that. I do, but I'd charge fees. Others I'm sure will do it for the glory.

      FWIW I'd never use any product of this kind for valuable data, far too risky.

  6. Numen
    Alert

    Consume vs Enterprise

    From a client we work with:

    I checked with QNAP and our enterprise devices are running on a FreeBSD base vs the consumer Linux based devices. QNAP has said there are no currently known vulnerabilities for our enterprise SANs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019