QNAP's recent situation was hard to believe. Having only just fixed a significant SQL injection vulnerability[0], a spate of ransomware hit. It was originally announced to be this issue that people rushed out to patch[1].
It ultimately turned out to be a backdoor account[2]. Backdoors really upset me. Every reasonable "you can't blame people for mistakes" goes out the window when it's not a mistake.
Following the ransomware, they released an auto-installing malware remover. A Python script that detected one particular piece of code associated with this recent attacker. That malware remover was a python script full of vulnerable exec calls introducing multiple new RCEs.
Wow. Back door accounts are just totally inexcusable these days - manufacturers should be held to account if their back doors end up getting exploited by threat actors. (Granted, you could argue it’s hard to distinguish between a really terrible bug and a back door, sometimes, but “intent” should cover this difference…)
Would you happen to have a write up/article about this series of events that isn’t a sanitized series of security bulletins? Sounds like it’d make for good reading.
Reading further along in the forum, the `walter` thing sounds like it's only present in test code and comments.
The actual backdoor looks like the `jisoosocoolhbsmgnt` session ID [1] that was removed in the update [2]. It looks like a hardcoded session ID used for tests [3]. Leaving something like that hardcoded and active in the production code is inexcusable.
It ultimately turned out to be a backdoor account[2]. Backdoors really upset me. Every reasonable "you can't blame people for mistakes" goes out the window when it's not a mistake.
Following the ransomware, they released an auto-installing malware remover. A Python script that detected one particular piece of code associated with this recent attacker. That malware remover was a python script full of vulnerable exec calls introducing multiple new RCEs.
[0] https://www.qnap.com/en/security-advisory/qsa-21-11 [1] https://www.qnap.com/de-de/security-advisory/qsa-21-05 [2] https://www.bleepingcomputer.com/news/security/qnap-confirms... [3] https://www.qnap.com/en/security-advisory/qsa-21-16