Urgent Notification about TNAS being Attacked by Ransomware

[Charlie_Croker]

Having trawled through my IDS/IPS records, has anyone else had attempts to ssh on port 223 from 85.209.0.186 (In the Russian Federation)?

[REBELinBLUE]

Saijin_Naib wrote:
> REBELinBLUE wrote:
> >
> Thanks for that.
>
> So to confirm, allowing a range forces the TOS firewall to REJECT every other
> connection that does not match this rule?

That *seems* to be the case from my experiments, once I did this the device wasn't able to resolve google.com for instance, I tried to add a "Reject" rule for all IPs afterwards and I just get a generic "configuration failed" message so it's not entirely clear.

It would be nice if someone from terra master would confirm

[Saijin_Naib]

REBELinBLUE wrote:
>
> That *seems* to be the case from my experiments,
>
> It would be nice if someone from terra master would confirm

Yes, we need confirmation that this is in fact how the firewall works.

It is a bit concerning that we can't make a blanket exclude rule, however.

Thanks again for your assistance in this.

[thrgn]

Hi everyone,

The first time I booted up my F5-221 a I had the "kinsing" cryptominer that got installed in merely seconds, upnp on both router and nas was cooperating to ruin my day ;). I wiped and started again.

And two days agos, 1.3TB of data lost on my F5-221, courtesy of "echoraix", I moved to another appartment, and for some reason my telco operator resetted the upnp setting + it went back on the nas after an os upgrade. I wiped and started again.

I'm not upset because I've got cold storage and stuff + the nas is monitored and I did not witness data leaking outside but yeah... I might be slightly mad this time.

I set a firewall rule as a result and so far it seems it works. Let's hope no device on my local network will be used to exploit the nas again.

I know Terramaster is not the bad actor here, but I heavily suggest you invest some time finding safe defaults from now on around firewalling, upnp and remote access.

The web interface is vulnerable and will be challenged again, that's life. Even biggest actors struggle to prevent major flaws to happen. I suggest some hardening here as well,
2612 root 20 0 34.6m 1.1m 0.0 0.1 0:00.00 S `- nginx
2613 root 20 0 51.7m 6.4m 0.0 0.4 0:00.62 S `- nginx
2614 root 20 0 51.7m 4.8m 0.0 0.3 0:00.05 S `- nginx
2615 root 20 0 51.6m 6.0m 0.0 0.3 0:00.00 S `- nginx
2616 root 20 0 51.8m 6.8m 0.0 0.4 0:06.01 S `- nginx
why is nginx root for example? Because php runs root level scripts?

Anyway, I wish you the best of luck, there's an angry mob because of some bad actors, you can't help this but no one deserve this.
We are all in this together.

Cheers,

[REBELinBLUE]

Looks like it just uses iptables https://gist.github.com/REBELinBLUE/2f5 ... 7427134140 as lines 26/27 & 33/34 appear to be the rules I added but I don't know enough about iptables to confirm, all I know is outbound traffic does seem to be blocked

❯ ping -w 5 google.com
PING google.com (142.250.187.206): 56 data bytes
--- google.com ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

❯ ping -w 5 142.250.187.206
PING 142.250.187.206 (142.250.187.206): 56 data bytes

--- 142.250.187.206 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

But I dare not set up port forwarding on my router to see if I could access the NAS from outside given the recent security issue

[thrgn]

fpsking wrote:
> My TNAS was up to date and i still got attacked with a text document
> telling me to follow the instructions to unlock it so i have Just lost
> years of family photos all my personal documents and work files.
>
> And your best answer for this is more or less unplug it from the internet
> restore it back to factory settings and format the drives unbelievable.
>
> I also tested all the antivirus/protection you offer in your apps section
> and not one of the detect it.
>
> How about you add 2 step authentication or something that works.

I did not intercept the payload (aka "the way in", the code that caused the encryption), but it looks like it exploited some flaw in the interface, my passwords are secure and the nas was resting idle.

2 steps authentication IMHO wouln't have done much. Antivirus might be useless when something happens in memory + we don't have samples of the malware yet. I could analyse that if someone had it. From the look of it it's an echoraix variant that hit me, .txtt file with instructions I didn't bother to read.

Sorry for your loss.

[REBELinBLUE]

I decided to test it anyway, set up port forwarding on my router and disabled that firewall rule, then tried connecting to it from my server

❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
HTTP/1.1 200 OK
Date: Wed, 12 Jan 2022 22:39:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: TerraMaster
Server: TOS/1.18.0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cross-Origin-Resource-Policy: same-origin

I could connect to the NAS (can't believe they include a X-Powered-By and Server header... that's a give away to hackers)

Then enabled the firewall rule

❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
curl: (28) Connection timed out after 5001 milliseconds

So looks like that works

[TMSupport]

I tried to add a "Reject" rule for all IPs afterwards and I just get a generic "configuration failed" message so it's not entirely clear.

It would be nice if someone from terra master would confirm

Hi! When adding a "Reject" rule, you can't deny all IPs, because then the device you are accessing the nas will be banned, which is the reason for the "configuration failed".

[TMSupport]

So to confirm, allowing a range forces the TOS firewall to REJECT every other connection that does not match this rule?

Yes, if you set a "Allow" rule, then the IP that does not match this rule will be reject.

[NavinKanus]

Can someone explain the steps to wipe and re-initialize my tnas device?

I know I lost my most valuable memories and documents but I want to get back to my work.