How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Frequently asked questions, operating instructions, troubleshootings
User avatar
Spaniard
Posts: 5
Joined: 26 Dec 2020, 00:28

Re: How to protect yourself against encryption-based ransomware?

Post by Spaniard » 30 Dec 2020, 05:04

joeh wrote:

> That is correct. I didn't see a way to disable the admin account either. My F2-422
> NAS is on firmware 4.2.07. The "Disable this user account" option is grayed
> out for the admin account. I am able to disable the guest account, which I did. All I
> did for the admin account is deny access to the folders I created.

As long as the root user and the Admin share the same password and pfp-fm is run by the root, there's not too much to do against these kind of exploits.

TMRoy is there any way of disabling http in the NAS and enforce https connection?

User avatar
StanHK
Posts: 28
Joined: 25 Jul 2020, 16:22

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by StanHK » 06 Jan 2021, 11:09

How to make your TNAS accessible from outside world via VPN only (note: need to have a firewall that supports VPN)

Here is some advise for those looking to improve their security (TM only said "happy new year" but no apologies for their clear negligence - no, I am not going to by nice to them as they messed up severely):

1. Get a firewalla (firewalla.com - this is made by a couple of guys that used to work at Cisco)
2. Setup VPN on the firewalla, which will allow you to tunnel into your home network
3. Setup port forwarding on your router for the firewalla VPN
4. Use the firewalla in advanced/DHCP mode (firewalla will assign internal IP addresses to your devices)
5. Fix the internal IP address for your TNAS in firewalla by reserving the assigned IP for TNAS (e.g. 172.1.1.2)
6. Take your TNAS offline by using the firewalla built-in disconnect from internet button
7. Whitelist your VPN subnet (advanced settings, network to see the subnet) and your local intranet subnet (e.g. 172.1.1.2/24) in the rules section for TNAS device
8. If you use any remote/cloud backup, find the IP CIDR blocks and domain names and whitelist those for your TNAS device in firewalla rules

*** now your TNAS should be only accessible from internal IP addresses and by VPN ***

9. Check if there are any port forwarding rules (except for your firewalla VPN) on your router, e.g. 8181, and remove those (be sure to keep your VPN port forwarding!!!)
10. Go to your network settings on your TNAS, and change the standard HTTP and HTTPS ports (e.g. 8181 --> 3131). Note, to connect to the TNAS web interface on example IP: 172.1.1.2:8181 you need to use the new port, e.g. 172.1.1.2:3131

User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions » 14 Jan 2021, 22:30

Hi, Can you help clarify something?

How was this system exploited? I don't really understand given the configuration, I believe I have setup.

How was remote access gained? This device already sits behind my router and is not directly exposed to the internet.
Are there details of how to lock this down? I understand there was a vulnerability, but even still my device should not have been accessible outside of my local network?

Is there something here enabling traversing the NAT?

Online
User avatar
TMRyan
Customer Service
Posts: 119
Joined: 01 Dec 2020, 11:50

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by TMRyan » 15 Jan 2021, 10:03

{L_BUTTON_AT}havesomequestions
There are three ways for you to remotely access your TNAS device:
1. TNAS.online permission: Go to “TOS” > “Remote Access” to enable the TNAS.online remote login, set a unique TNAS ID, and then enter the TNAS.online or TNAS ID in the address bar of your computer browser (e. g., TNAS.online/john) to enable remote access.
2. DDNS (Dynamic Domain Name Server): Please refer to the “TOS Help” page for how to set up DDNS and how to use it.
3. A dedicated IP and port number: Apply for a dedicated IP from the operator and then access TNAS by forwarding it through the router port.
To contact our tech team, please email to support(at)terra-master.com, remember to replace (at) with @

User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions » 15 Jan 2021, 12:57

are any of those enabled by default? I didn't explicitly do any of those steps.

my security posture is not have these things enabled. but i wasn't aware of these.

my question was not how to enable remote access, but rather how could this infection have occurred.

I started going through the process of changing the default ports and now the webui no longer loads for me.

User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions » 15 Jan 2021, 13:46

My main goal here is to understand how the bad actor got on to the system.

If I understand correctly there was an exploit, i've seen the metasploit toolkit with the POC.
How can I trust this system?

I have noticed lately some attempts to log into my accounts, luckily they are all 2fa, from odd regions.

It feels like this system cannot be trusted with my data, was the data exfiltrated?

Not everything was encrypted, it seemed to only target some well known extensions. I have backups in triplicate and this happened to only corrupt one of those.

But how can I put this device back in service w/o understanding how the system was exploited? I am not finding these encrypted files on any other device on my network.

User avatar
StanHK
Posts: 28
Joined: 25 Jul 2020, 16:22

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by StanHK » 16 Jan 2021, 10:22

havesomequestions wrote:
> My main goal here is to understand how the bad actor got on to the system.
>
> If I understand correctly there was an exploit, i've seen the metasploit
> toolkit with the POC.
> How can I trust this system?
>
> I have noticed lately some attempts to log into my accounts, luckily they
> are all 2fa, from odd regions.
>
> It feels like this system cannot be trusted with my data, was the data
> exfiltrated?
>
> Not everything was encrypted, it seemed to only target some well known
> extensions. I have backups in triplicate and this happened to only corrupt
> one of those.
>
> But how can I put this device back in service w/o understanding how the
> system was exploited? I am not finding these encrypted files on any other
> device on my network.

I can confirm that:
1. I did not switch on TNAS.online
2. I did not use DDNS (Dynamic Domain Name Server)
3. I did not specifically have a dedicated IP (which isn't needed for a hacker, they just need to find an IP address where the device is running)

The port 8181 is the standard port used by TNAS for web access. So I guess they either got a list of IPs directly from this forum and tried all of them for open port 8181, or they just scanned large amounts of IPs for open port 8181.

My mistake: during setup I set port mapping of 8181 to the internal IP which I then forgot to switch off.

User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions » 17 Jan 2021, 02:42

Thank you for this. I believe I found I had port triggering enabled on my router and found a record of port 8181 being accessible externally.

This closes that loop for me.

StanHK wrote:
> havesomequestions wrote:
> > My main goal here is to understand how the bad actor got on to the system.
> >
> > If I understand correctly there was an exploit, i've seen the metasploit
> > toolkit with the POC.
> > How can I trust this system?
> >
> > I have noticed lately some attempts to log into my accounts, luckily they
> > are all 2fa, from odd regions.
> >
> > It feels like this system cannot be trusted with my data, was the data
> > exfiltrated?
> >
> > Not everything was encrypted, it seemed to only target some well known
> > extensions. I have backups in triplicate and this happened to only corrupt
> > one of those.
> >
> > But how can I put this device back in service w/o understanding how the
> > system was exploited? I am not finding these encrypted files on any other
> > device on my network.
>
> I can confirm that:
> 1. I did not switch on TNAS.online
> 2. I did not use DDNS (Dynamic Domain Name Server)
> 3. I did not specifically have a dedicated IP (which isn't needed for a hacker, they
> just need to find an IP address where the device is running)
>
> The port 8181 is the standard port used by TNAS for web access. So I guess they
> either got a list of IPs directly from this forum and tried all of them for open port
> 8181, or they just scanned large amounts of IPs for open port 8181.
>
> My mistake: during setup I set port mapping of 8181 to the internal IP which I then
> forgot to switch off.

User avatar
havesomequestions
Posts: 0
Joined: 14 Jan 2021, 22:26

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by havesomequestions » 17 Jan 2021, 02:53

For anyone else, beta.shodan.io, is how I found my open ports.

You can lookup your external ip for free and even quickly attempt connection.

User avatar
sianderson
Posts: 145
Joined: 02 Aug 2020, 03:42

Re: How to protect yourself against encryption-based ransomware Ech0raix (QNAPCrypt)?

Post by sianderson » 17 Jan 2021, 23:24

i use GRC.com i dont know how that compares to the test you run, its an old one but I guess its all still valid

Post Reply