Week 16 in review

27.04.2021 - Last week, the NCSC recorded a very high number of reports. This was mainly due to a wave of fake sextortion attempts. The NCSC also received reports on emails threatening an acid attack. In addition, the NCSC is receiving an increasing number of reports on encrypted QNAP network-attached storage (NAS).

Current statistics

Reports per week during the last 12 months

Last week's reports by category

Fake sextortion – using empty threats to get people to pay

After a few quiet days on the fake sextortion front, last week once again saw a lot of reports. Mailboxes, mainly those of Swisscom/Bluewin customers, were flooded with mails. The threats in the emails are always the same: someone claims to have access to the recipient's computer and to have spied on them for months, watching him/her consume pornography. By taking control of the webcam, they have obtained compromising images, which will now be published unless the victim makes an appropriate payment.

As proof that the email account has been hacked, the attackers pretend to have sent the email from the victim's own address. And indeed, the sender and recipients in the current batch of emails are identical. The perpetrators exploit the victim's insecurity; only very few people know that an email sender address can be spoofed using very simple methods and without specialist knowledge. Every email program allows the sender to be freely defined. In the current cases, the attackers do not have access to the email account and are attempting to bluff their way to a ransom payment from the victim.

Threats of acid attacks

In another variation on the threatening email theme, the attackers threaten to carry out an acid attack. It is claimed that a friend of the recipient has ordered sulphuric acid to be thrown into their face. The recipient's home address is quoted as proof. The victim can cancel the contract by sending EUR 550 to a bitcoin address. The bitcoin address is always the same and is known for having already been used in this kind of threatening email. In this latest case, the threat is a bluff.

You can use the BitcoinAbuse website www.bitcoinabuse.com to check whether a given bitcoin address has already been used in other cases of fraud.
https://www.bitcoinabuse.com/

QNAP network-attached storage (NAS) targeted by ransomware

Last week, the NCSC received an increased number of reports of encrypted QNAP NAS (network-attached storage) devices and subsequent ransom demands. The vulnerability CVE-2020-36195 is probably being exploited in these cases. QNAP provided an update to fix this vulnerability on 16 April 2021. The NCSC recommends updating Multimedia Console, the Media Streaming add-on and Hybrid Backup Sync as a matter of urgency, and generally keeping all device systems up to date.

In the meantime, QNAP has reacted to the incident and published an article warning users to install the latest version of Malware Remover and perform a malware scan on the QNAP NAS.

If user data has already been or is being encrypted, the manufacturer recommends not to shut down the NAS but instead to run a malware scan immediately using the latest version of Malware Remover, and then to contact QNAP's technical support: 
https://service.qnap.com/
This is because it is possible to restore the password from the 7z.log file, so long as the QNAP device has not been restarted since the encryption.

Generally, it is recommended that network-attached storage only be made directly accessible from the internet when absolutely necessary. QNAP also recommends changing the standard network port 8080 for access to the NAS user interface.

You can find further information on the QNAP website:
https://www.qnap.com

Last modification 27.04.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/wochenrueckblick_16.html