If you are not interested in tech in general and in NAS manufacturers in particular you may have missed the latest news on the shiny new exploit affecting QNAP NAS systems: the Qlocker. Basically, the attackers gained access to QNAP systems and used 7-zip to move the user’s files to password-protected archives. Then, they started a massive ransomware campaign asking for 0.01 BTC (around 500 USD) for the password to unlock the files.
Well, it turns out there’s a hardcoded password in one of QNAP’s shitty apps for QTS (their operating system), called HBS 3 Hybrid Backup Sync. According to this thread, an engineer called Walter Shao, who is the Technical Manager of QNAP since 2013, added a backdoor using the admin password “walter”. Very nice. This story talks to us about the non-existing standards followed at QNAP when it comes to software auditing and review.
It’s a good thing that I decided to strip my NAS of all this rubbish software a while ago, but the device itself will remain switched off as a precautionary measure until this matter is cleared up. This just adds a cherry on top of my already sizable distrust for that company.
For a little bit of comic relief look at this reddit thread discussing the issue. Some comments are real funny.