New QNAP NAS flaws exploited in recent Qlocker ransomware attacks

When we were preparing this Security Center issue, none of us thought that the new campaign which targets QNAP NAS devices is going to escalate in a such way. In just five days, attackers using only the 7zip archive program remotely encrypted QNAP NAS devices – with Qlocker ransomware – from all over the world. How was it possible? Threat actors scanned for devices connected to the Internet and exploited them using the recently disclosed vulnerabilities. More information about these security bugs can be found below.

Keep in mind that the Qlocker ransomware campaign is still ongoing. Therefore, all QNAP users must update the latest versions of the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps to fix the vulnerabilities.

The grand scale Qlocker ransomware attack: a backdoor account in QNAP NAS HBS app

QNAP has addressed a critical vulnerability allowing attackers to log into QNAP NAS devices using hardcoded credentials. The vulnerability tracked as CVE-2021-28799 was found in HBS 3 Hybrid Backup Sync, the company’s disaster recovery, and data backup solution.

How to avoid a potential attack? QNAP advises its customers to update the software to the latest released version:

QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later

All you need to do is log into QTS or QuTS hero as administrator. Run the App Center, search for  “HBS 3 Hybrid Backup Sync”, and then click ‘Update’ to update the application.

QNAP fixed also two other HBS command injection vulnerabilities, as well as two more critical vulnerabilities, a command injection bug in QTS and QuTS hero (CVE-2020-2509) and an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On (CVE-2020-36195).

Fix the security issues now

Critical bugs such as these allow attackers to take over NAS devices and, in some cases, deploy ransomware to encrypt the users’ files and ask hefty ransoms for a decryptor. And right now, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data, and demanding ransoms to restore the information. Threat actors usually hide their malicious activity within regular remote work traffic, so it’s much harder to discover.

Qlocker ransowmare submissions - QNAP ongoing  attack
Data: Bleeping Computer

Any advice?

Customers are advised to go through the following procedure to secure their NAS devices and check for malware:

Change all passwords for all accounts on the device
Remove unknown user accounts from the device
Make sure the device firmware is up-to-date, and all of the applications are also updated
Remove unknown or unused applications from the device
Install QNAP MalwareRemover application via the App Center functionality
Set an access control list for the device (Control panel -> Security -> Security level)


Hundreds of networks hacked in Codecov supply-chain attack. Among the customers are IBM, Atlassian, P&G, and 29K more…

SolarWinds hack takes its toll… like the recent Codecov supply-chain attack that went undetected for over 2 months. Investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov’s systems.

Codecov is an online software testing platform that can be integrated with GitHub projects, to generate code coverage reports and statistics and is used by over 29K customers. Including prominent names like GoDaddy, Atlassian, IBM, The Washington Post, Procter & Gamble (P&G), Hewlett Packard Enterprise (HPE), making this a noteworthy supply-chain incident.

In this attack, threat actors had gained Codecov’s credentials from their flawed Docker image that the actors then used to alter Codecov’s Bash Uploader script, used by the company’s clients.

By replacing Codecov’s IP address with their own in the Bash Uploader script, the attackers paved a way to silently collect Codecov customers’ credentials— API keys, tokens, and anything stored as environment variables in the customers’ continuous integration (CI) environments.

The incident got the attention of U.S. federal investigators. According to them, Codecov attackers deployed automation to use the collected customer credentials to tap into hundreds of client networks, thereby expanding the scope of this system breach beyond just Codecov’s systems.

The company became aware of this malicious activity after a customer noticed a discrepancy between the hash (shashum) of the Bash Uploader script hosted on Codecov’s domain and the (correct) hash listed on the company’s GitHub.

By abusing the customer credentials collected via the Bash Uploader script, hackers could potentially gain credentials for thousands of other restricted systems, according to the investigator.  

Codecov customers who, at any point in time used Codecov’s uploaders (the Codecov-actions uploader for Github, the Codecov CircleCl Orb, or the Codecov Bitrise Step), are advised to reset credentials and keys that may have been exposed as a result of this attack and to audit their systems for any signs of malicious activity.


Prometei botnet is also exploiting Microsoft Exchange Server flaws

These same deadly bugs can be used for very different purposes. For example operators of the Prometei botnet are now using Microsoft Exchange Server vulnerabilities (CVE-2021-27065 and CVE-2021-26858, details can be found here) in order to penetrate the network and install malware.

Prometei botnet, first discovered in July 2020, has previously targeted the financial, manufacturing, and travel sectors. Its operators appeared to be solely interested in making money – as opposed to conducting DDoS attacks or deploying ransomware. This time is no different. Attacks are not highly targeted, which makes them even more dangerous and widespread. Cybercriminals hit organizations with a multi-stage attack that aims to steal processing power to mine bitcoin. They can also exfiltrate sensitive information, but it’s not the primary choice.

The main objective of Prometei is to install the Monero miner component on as many endpoints as it can. To do so, Prometei needs to spread across the network – and for that, it uses many techniques such as known exploits EternalBlue and BlueKeep, harvesting credentials, exploiting SMB and RDP exploits, and other components such as SSH client and SQL spreader. Attackers exploited the recently discovered vulnerabilities in the Microsoft Exchange server as well, which allowed them to perform remote code execution.

A detailed report about the ongoing attack can be found on Cybereason.


Hackers Exploit VPN to Deploy SUPERNOVA malware

Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization’s network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.

The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.

So far, the Supernova attack hasn’t been attributed to any specific group or country.

In the report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity’s network via a Pulse Secure virtual private network (VPN) appliance. CISA’s investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it.

The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Internal Facebook email reveals intent to frame data scraping as ‘normalized, broad industry issue’ (ZDNet)
2. Fake Microsoft Store, Spotify sites spread info-stealing malware (Bleeping Computer)
3. Critical update: Facebook Messenger users hit by scammers in over 80 states (Security Affairs)
4. REvil gang tries to extort Apple, threatens to sell stolen blueprints (Bleeping Computer)
5. Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise (FireEye)
6. QR Codes Offer Easy Cyberattack Avenues as Usage Spikes (ThreatPost)
7. Play Store apps plagued with malware have 700,000 downloads (HackRead)
8. Attackers can hide ‘external sender’ email warnings with HTML and CSS (Bleeping Computer)
9. Massive Android Botnet Hits Smart TV Ad Ecosystem (Security Week)
10. A ransomware gang made $260,000 in 5 days using the 7zip utility (Bleeping Computer)