Urgent Notification about TNAS being Attacked by Ransomware

[fpsking]

I would wait for someone who knows what they are talking about to log-on as he is no help at all also @TMroy posting a rude message then editing it only works if my print screen button doesn't work

[Saijin_Naib]

How do we make a Firewall rule that filters/blocks ALL external IP connections, but allows interneal/local IP connections?

If you can give us a step-by-step for that, it should help everyone massively.

(Also, love the advice to put an AV on my TerraNAS product that you removed ClamAV support for :| )

[REBELinBLUE]

Saijin_Naib wrote:
> How do we make a Firewall rule that filters/blocks ALL external IP
> connections, but allows interneal/local IP connections?
>
> If you can give us a step-by-step for that, it should help everyone
> massively.
>
> (Also, love the advice to put an AV on my TerraNAS product that you removed
> ClamAV support for :| )

I've set mine like these screenshots, this blocks it from accessing the internet but allows the whole local network to be acceesss

https://dropshare.rebelinblue.com/Scree ... t-23.58.48
https://dropshare.rebelinblue.com/Scree ... t-23.59.01
https://dropshare.rebelinblue.com/Scree ... t-23.58.56
https://dropshare.rebelinblue.com/Scree ... t-23.58.48

The important thing is making sure you get the IP right, for example, if your router IP is 192.168.0.1 the first 3 digits are probably the same for all your devices which is what the 255.255.255.0 specifies; you could also just do the range instead 192.168.0.1 - 192.168.0.255

https://www.wikihow.com/Find-Your-Subnet-Mask tells you how to find your subnet on Windows and macOS, in the example there the router is 192.168.8.1 so you'd use 192.168.8.0 & 255.255.255.0

[Charlie_Croker]

Thank you for the warning.

Unfortunately the bad actors have realised attacking NAS is a good, profitable attack vector and TerraMaster are not alone in being attacked. I can understand the frustration but you are not alone in being advised to "Disconnect your device from the internet", or to "secure your routers." NAS are all Linux based and vulnerabilities will be found by hackers and exploited. Often before anyone knows (So called "Zero day exploits"). I can be quite critical of TM (The fans debacle being one time), but in this case they have warned us and I don't expect them to secure my network.

Luckily my TNAS is OK but as a QNAP owner I have been through this before. I would advise everyone to make sure you have a very good Router with a decent firewall and make sure you update the firmware frequently (good routers get frequent firmware updates) Also if you are using the router supplied by your ISP remember, it wasn't the best it was the cheapest.

Your router/firewall is your first line of defence. Personally I recommend the Ubuiqiti range of Routers/firewalls as they are reasonably priced and have Intrusion Protection System, together with Deep Packet Inspection. This prevented my QNAP getting infected and seems to have protected my TNAS too (Fingers crossed). (QNAP Also released a warning a few days ago about another attack and I have placed a link to their advice below, which shows how to secure your router for those unsure how to do it).

If you want to test your home network's security (you might be shocked) watch this video, and test your security https://www.youtube.com/watch?v=80vIin4xGp8

https://www.qnap.com/en/security-news/2 ... e-qnap-nas

https://www.bleepingcomputer.com/news/s ... e-attacks/
https://www.techspot.com/news/92909-qna ... ected.html

The April 2020 attacks on QNAP NAS https://www.youtube.com/watch?v=S_4p68lDWfA

[Charlie_Croker]

Oh and remember, if they can hack the Pentagon, the CIA , NASA etc, they can hack your NAS. https://www.washingtonpost.com/national ... story.html

[Charlie_Croker]

REBELinBLUE wrote:
> BTW, you tell people to disable SSH when not in use, and to remove the
> default admin account (which you can't) but that doesn't work as
> /etc/ssh/sshd_config has explicitly been set to "AllowUsers
> admin" so only the admin user can login, if you edit the file when you
> re-enable SSH via TOS it resets it

That's shocking, I guess they are regretting this too https://www.techpowerup.com/forums/thre ... re.286026/

[Charlie_Croker]

More on the QNAP attacks and its possible there is a shared vulnerability.

While the company (QNAP) did not share any other details on these active attacks, BleepingComputer reported on QNAP customers saying their systems were targeted with eCh0raix ransomware (also known as QNAPCrypt).

These incidents follow an increase in activity right before Christmas and are using an unknown attack vector.

However, some of the users' reports seen by BleepingComputers link successful ransomware attacks to improperly secured Internet-exposed devices. Others have also claimed that the attackers exploited an unspecified QNAP Photo Station vulnerability.

BleepingComputer has seen ech0raix ransom demands ranging from $1,200 to $3,000 worth of bitcoins during these recent attacks. Some of them were paid because the victims didn't have a backup of the encrypted files

QNAP devices were previously targeted by threat actors using eCh0raix ransomware in June 2019 and June 2020, with the NAS maker also alerting users of another series of another surge of eCh0raix attacks targeting devices with weak passwords in May 2021.

[TMroy]

{L_BUTTON_AT}Charlie_Croker

Thank you for your information!

[Jac de Lad]

REBELinBLUE wrote:
> Saijin_Naib wrote:
> > How do we make a Firewall rule that filters/blocks ALL external IP
> > connections, but allows interneal/local IP connections?
> >
> > If you can give us a step-by-step for that, it should help everyone
> > massively.
> >
> > (Also, love the advice to put an AV on my TerraNAS product that you removed
> > ClamAV support for :| )
>
> I've set mine like these screenshots, this blocks it from accessing the internet but
> allows the whole local network to be acceesss
>
> https://dropshare.rebelinblue.com/Scree ... t-23.58.48
> https://dropshare.rebelinblue.com/Scree ... t-23.59.01
> https://dropshare.rebelinblue.com/Scree ... t-23.58.56
> https://dropshare.rebelinblue.com/Scree ... t-23.58.48
>
> The important thing is making sure you get the IP right, for example, if your router
> IP is 192.168.0.1 the first 3 digits are probably the same for all your devices which
> is what the 255.255.255.0 specifies; you could also just do the range instead
> 192.168.0.1 - 192.168.0.255
>
> https://www.wikihow.com/Find-Your-Subnet-Mask tells you how to find your subnet on
> Windows and macOS, in the example there the router is 192.168.8.1 so you'd use
> 192.168.8.0 & 255.255.255.0
Thanks for that, but will this void access via mynas.tnas.link too? Or packages like JDownloader?

[REBELinBLUE]

Jac de Lad wrote:
> REBELinBLUE wrote:
> > Saijin_Naib wrote:
> > > How do we make a Firewall rule that filters/blocks ALL external IP
> > > connections, but allows interneal/local IP connections?
> > >
> > > If you can give us a step-by-step for that, it should help everyone
> > > massively.
> > >
> > > (Also, love the advice to put an AV on my TerraNAS product that you removed
> > > ClamAV support for :| )
> >
> > I've set mine like these screenshots, this blocks it from accessing the internet
> but
> > allows the whole local network to be acceesss
> >
> > https://dropshare.rebelinblue.com/Scree ... t-23.58.48
> > https://dropshare.rebelinblue.com/Scree ... t-23.59.01
> > https://dropshare.rebelinblue.com/Scree ... t-23.58.56
> > https://dropshare.rebelinblue.com/Scree ... t-23.58.48
> >
> > The important thing is making sure you get the IP right, for example, if your
> router
> > IP is 192.168.0.1 the first 3 digits are probably the same for all your devices
> which
> > is what the 255.255.255.0 specifies; you could also just do the range instead
> > 192.168.0.1 - 192.168.0.255
> >
> > https://www.wikihow.com/Find-Your-Subnet-Mask tells you how to find your subnet
> on
> > Windows and macOS, in the example there the router is 192.168.8.1 so you'd use
> > 192.168.8.0 & 255.255.255.0
> Thanks for that, but will this void access via mynas.tnas.link too? Or packages like
> JDownloader?

Yeah it would block it from accessing the internet