Get in Touch
QNAP and Synology NAS devices targeted by ransomware gang
Overview
A new strain of eCh0raix ransomware has been discovered targeting QNAP and Synology Network Attached Storage (NAS) devices. This is not the first time that either vendor has been the target of ransomware, however it appears to be the first time that the same ransomware group has been identified as being the source.
Impact
Access to and encryption of all data on the device as well as the potential to use the device as a mechanism to pivot the attack to target other devices.
Affected Products
QNAP NAS running HBS 3 (QNAP NAS devices running HBS 2 and HBS 1.3 are not affected.)
There is no clear version of Synology NAS devices that are affected as attacks against this type of device appear to be brute force password attacks.
Vulnerability Detection
The attempted use of hard-coded and credentials in QNAP devices and the brute forcing of administrative credentials for either vendor’s device are key indicators of an attack against the devices.
Containment, Mitigations & Remediations
Palo Alto Networks’ Unit 42 security researchers are advising affected NAS owners to follow best practices to block ransomware attacks targeting their data:
- Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website.
- Create complex login passwords to make brute-forcing more difficult for attackers.
- Limit connections to SOHO-connected devices from only a hard-coded list of recognized IPs to prevent network attacks used to deliver ransomware to devices.
Separately, Synology provided advice more specific to their devices, but still in-line with security best practices:
- Use a complex and strong password and apply password strength rules to all users.
- Create a new account in the administrator group and disable the system default “admin” account.
- Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
- Run Security Advisor to make sure there is no weak password in the system.
Indicators of Compromise
Regular changes to files, resulting in different hashes, have been seen to occur on a regular basis and so the below should not just be considered in isolation.
The below IoC’s are curtesy of the Palo Alto Network’s Unit 42 Research division:
| File Hashes |
|---|
| cc112184b17d65229ce20487d98a3751dceb3efbee7bf70929a35b66416ae248 |
| 670250a169ba548c07a5066a70087e83bbc7fd468ef46199d76f97f9e7f72f36 |
| 039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c |
| 551e03e17d1df9bd5b712bec7763578c01e7bffe9b93db246e36ec0a174f7467 |
| 36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1 |
| bb3b0e981e52a8250abcdf320bf7e5398d7bebf015643f8469f63d943b42f284 |
| 2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce |
| fedcce505a5e307c1d116d52b3122f6484b3d25fb3c4d666fe7af087cfe85349 |
| 6df0897d4eb0826c47850968708143ecb9b58a0f3453caa615c0f62396ef816b |
| 9f9bbbc80a2035df99abd60dc26e9b068b63e5fcc498e700b8cc6640ca39261b |
| 0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04 |
| 19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b |
| 7fa8ebcccde118986c4fd4a0f61ca7e513d1c2e28a6efdf183c10204550d87ce |
| 4691946e508348f458da1b1a7617d55d3fa4dc9679fff39993853e018fc28f8e |
| 230d4522c2ffe31d6facd9eae829d486dfc5b4f55b2814e28471c6d0e7c9bf49 |
| 21d5021d00e95dba6e23cee3e83b126b068ad936128894a1750bbcd4f1eb9391 |
| 283b2fa0fcddff18278d924c89c68bbcd980728761bd26c5dea4ec4de69b841e |
| d2ebe2a961d07501f0614b3ba511cf44cb0be2e8e342e464a20633ed7f1fc884 |
| 74169aebae6412e5408904d8f6a2eb977113b3ac355c53dfd366e2903b428c62 |
| 2e3a6bd6d2e03c347d8c717465fec6347037b7f25adae49e9e089bc744706545 |
| 3c533054390bc2d04ba96089302170a806c5cdb624536037a38c9ecb5aeea75d |
| a8accaab01a8ad16029ea0e8035a79083140026e33f8580aae217b1ef216febc |
| 9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422 |
| 0e4534d015c4e6691ff3920b19c93d63c61a0f36497cb0861a149999b61b98e1 |
| fe4efccf56f989bf1b326dd9890681d21c97309fee61fdac8eb2081398e4d2b1 |
| f6f6e34e93c4ec191807819bd0a3e18fe91bd390ec6c67fadc970d01c25f517b |
| 3b93b18ae4f3aad450897e7d02346b843e38358a0c51b834d1971824c0a30b97 |
| 88a73f1c1e5a7c921f61638d06f3fed7389e1b163da7a1cc62a666d0a88baf47 |
Payload URLs
183[.]76.46.30/1/crp_linux_arm
183[.]76.46.30/1/crp_linux_386
98[.]144.56.47/1/crp_linux_arm
98[.]144.56.47/1/crp_linux_386
64[.]42.152.46/h/crp_linux_386
64[.]42.152.46/h/crp_linux_arm
2[.]37.149.230/1/crp_linux_386
2[.]37.149.230/1/crp_linux_arm
C2 Request
hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/chuADfBHD8hpgVs7wH8eS3S0Vv-rusj6
hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/41xvlF4tQ1b3iXd5okwCNhcj7fh9gMB2
hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/hv3PWxhLkfOuNjE9u3eOGogbGSH2bGT0
hxxps://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id[.]onion/api/GetAvailKeysByApiKey/-xS-0UcHPaAJgaQCkyE29icDiJeAakj7
Socks5 Proxies used
161[.]35.151.35:9100
185[.]10.68.89:9100
185[.]181.229.175:9100
176[.]122.23.54:9100
Threat Landscape
“Small Office/Home Office (SOHO) users are attractive to ransomware operators looking to attack bigger targets because attackers can potentially use SOHO NAS devices as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms”
SOHO users are also more likely to pay the smaller ransom sums demanded. In mid-April a ransomware campaign against QNAP devices netted the attackers $260,000 in just 5 days. In this instance the attackers used the 7Zip utility to encrypt the data.
According to data from the Cortex Xpanse platform, some 243,500 QNAP and Synology NAS devices are currently exposed to the public internet.
Further Information
Bleeping Computer – eCh0raix ransomware now targets both QNAP and Synology NAS devices
Bleeping Computer – Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices
Bleeping Computer – 159 A ransomware gang made $260,000 in 5 days using the 7zip utility
Synology ® Investigates Ongoing Brute-Force Attacks From Botnet
Unit 42 Palo Alto – New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
QNAP