QNAP 4.4.1.1216, - hacked? Seeking opinions.

[tigo13]

Hi,

I noticed something bizarre late yesterday when I logged onto my TVS NAS, that has me confused. Perhaps, someone can give an opinion on this. Please excuse the long narrative.

- I logged on via the web-browser, and was prompted with a message asking me to agree on Data-Privacy for Qnap, - I agreed, and then I was bombarded with messages telling me that Volumes had been formatted and the machine is ready. The webpage for the NAS looked different as all the application shortcuts on the desktop were gone.

- I shutdown the machine. Breathed some sanity into my head. It would have been impossible for the drives to have been formatted, when I had been transferring files on / off an hour earlier. I started it up, and logged on, - looked at the logs, and nothing suspicious stood out - aside from some error messages about the Network Switch ports - being disconnected and reconnected. (confused me as the cables to the router had been connected with the router being always on).

- I started up the machine again. Mounted the drives, and checked the drives manually. All the data was there. Nothing had been formatted. So then, WTF were those messages on data privacy - and volumes being formatted and ready?

- Shortcuts were deleted from the NAS desktop, but all the applications were still there, so, I reloaded the shortcuts and didn't think anything further. (I checked the router - firewall - to the internet - all had appeared normal).

- Then, today I was able to review the data-traffic consumption on the internet link, and, apparently I had transferred 25GB to the internet abyss yesterday.

- I suspect that I was hacked. But I don't understand how. As, I have a firewall with all incoming connections blocked aside from myqnap cloud service that has 2FA running. I don't have port forwarding or any allowed-incoming connections. I have a upnp service for outgoing crap, but that's it. nothing incoming.

- Stupidly, I hadn't enabled full-logs on the QNAP system. Or if there are logs aside from those captured in the settings window - then I don't know about.

- I browsed around the settings on QNAP, and I couldn't see anything suspicious, until I attempted to ssh into the system, and I could. HUH. I don't recall enabling the service. Is it possible for someone from outside the network to hack through - accessing the system via SSH. If so, and they had done some shirt, - how can i find out what happened to the system?

- Lastly, any recommendations on what to do next? to avoid such future recurrence? - I changed the password to the qnap box, and added 2FA authentication to it's web-browser access, and disabled SSH.

I am currently lying to myself that qnap may have sent something stupid via the qnapcloud that deleted the shortcuts and pushed a privacy message - along with scare the crap out of you formatted drives are ready.

[at present, I've shutdown the NAS box until I can think of some answers and an approach.]

Appreciate anyones' thoughts on this.
thanks

 

[L&LD]

If your NAS was secure prior to this, what about your router?

What options did/do you have enabled on your router or possibly IoT devices that would allow a hacker in, in the first place?

What router, what firmware and what access to and from your network have you enabled?

Are you running any company devices inside your network (if wired or wireless from the main WiFi SSIDs)?

What else may have changed in the last few days?

Can you verify that that 25GB upload from your ISP too? (It could be just bogus stats).

 

[tigo13]

Router ought to be secure. Running Merlin's 384.15 - with skynet installed - with custom and large ip-filters - and with diversion and dnsproxy. I don't have any IoT devices. All remote access & management into the network is disabled (no vpn or anything allowed inwards). The only service accessible from the internet is myqnap cloud service and I have 2FA on that. Enabled on the router is upnp & secure upnp for outgoing services.

Nothing had changed in the days prior to the surge in traffic. The ISP doesn't offer any data-counters - or insight into traffic. On the day of the incident, I was setting up a computer with Steam - for some gaming, but I don't have any streams enabled from it, and I didn't get a chance to play. Downloaded heaps of data though - about 50GB

Q: Is it possible for someone to have attacked the QNAP system - network switch configuration - to then enable SSH and remote into it?
Q: Could it have been possible to reset some settings in the QNAP system to show a message asking for a confirmation on data privacy; and then show messages that the hard-drives had been formatted and ready to use? If this is possible, any ideas what to look for on the machine. I am comfortable with SSH to dig around as opposed to using the GUI.

thanks,

 

[L&LD]

I would probably disable the MyQNAP cloud service. Much more secure ways to access your data with an RMerlin powered router.

And since you just set up 2FA on it after the attack, that is probably how someone got in (if they did at all).

 

[tigo13]

Hmmm, I'm going to be hopeful and run with perhaps no-one had gotten in - i just don't know. Perhaps, some fault or so in the QNAP OS that produced those messages of drives formatted and privacy.

The QNAP mycloud service had always 2FA enabled since I signed up to it, and I've disabled it now. After the incident, I added a 2FA to just login to the NAS box from the home-network web portal - on the private address.

I'm going to keep the box turned off, until I can add better traffic monitoring on the merlin router.

thanks L&LD

 

[ColinTaylor]

Is it possible that it's simply the side effect of the NAS updating it's firmware and some settings having to be reinitialised?

 

[dosborne]

If I recall, I had similar message (drives formatted and ready etc) after the last update. Same goes for the app shortcuts that were removed. There may be some driver or other update that affected the storage systems and uses a generic notification. I haven't installed 1216 on my main NAS yet for a number of reasons, but I am confident your situation isn't worth panicking over.

I would however ensure you really need upnp, and disable it if you have a manual workaround.

Similarly, personally, I couldn't find a real need for the myqnap cloud service so never bothered as I figured this was just a potential entry point for hackers.

"aside from some error messages about the Network Switch ports " I get this everytime the router reboots. In my case, once a day as I reboot the router on a schedule. I wish there was a simple way to ignore, or not report at all, some of these things.

 

[L&LD]

@tigo13 I'll be hopeful along with you.

After reading the responses above after yours, it seems like this isn't an issue to worry about too much over.

 

[tigo13]

@ColinTaylor , - perhaps - although I doubt - as I usually receive a push notification that a firmeware update is available - ready for installation; but that wasn't the case then. May be it was something carried over from the last update.
@dosborne - that's comforting to know.
@L&LD - thanks mate.

I won't worry more about it. I'll muck about with the system and get it going over the weekend. It's a nice box that i'm happy with.

many thanks all

 

[dosborne]

I haven't installed 1216 on my main NAS yet

Correction: I actually had installed it. That must therefore have been when I saw similar "symptoms" as you had. So I would say definitely nothing to worry about

 

[tigo13]

@dosborne - many thanks. I thought more about what you'd said, and I think that you're right. After installing the most recent update, I hadn't logged into the system till the incident.

In the messages that I was prompted - one had to do with data - privacy, and I recall agreeing to it. (i was in a hurry, and didn't read much, - just clicked away).

Anyhow, later that evening, - as the NAS box was constantly buzzing, - I logged on to find the Qsirch 4.3.2.1 running - indexing the drives, and it relied on Qfiling. I disabled both; and recall reading that Qsirch - was sending some of my data for analysis to Qnap (guess thats why I was prompted with the data-privacy message), - another reason why such stuff need to be disabled by default, and only upon interest by the user to read about and enable if they wish to.

The 25GB was my data being sent out to the web; but it wasn't a hacker - it was Qnap collecting data for analysis. My router displays usage the following day, so that's when I learned what had happened the day before.

I'm not worried anymore - it wasn't a malice thing - it was a commercial thing. In future, i'll pay better attention to firmware updates - and prompts.

 

[sfx2000]

I've been rolling thru updates up to current on QNAP - I've never seen screens like this

Main thing is I don't expose the QNAP to the internet...

So going back to OP - even 25GB outbound for analysis for QNAP support is silly...

Hope you have a backup of the data on the NAS.

sfx

 

[tigo13]

The issue was not a hack. It was the Qsirch and another utility by Qnap. As Qnap upgraded the OS, it introduced "better" search functionality, with AI - so that you can find what you're looking for faster with better results, - images and documents. So, when those services are enabled (cunningly by default), - you're prompted with an updated privacy document, that if you agree to, - the software will automatically upload your data to Qnap servers for analysis. After I disabled those services, I did not have any further uploads from the QNAP box to the internet.

In future, I ought to RTFM and those prompts before clicking 'i agree', on their "new and better" services.

* Here's some info on Qsirch, https://www.qnap.com/solution/qsirch-4-0/en/