Urgent Notification about TNAS being Attacked by Ransomware

Official announcements and latest news, awards from medias, and sucess stories.
User avatar
demetry14
Posts: 20
Joined: 22 Nov 2020, 05:23

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by demetry14 »

{L_BUTTON_AT}demetry14
TMSupport wrote:
> >
> This attack is an organized attack on TNAS, a variant of the eCh0raix
> virus, which usually uses weak passwords or vulnerabilities to attack
> victims. This time, Synology and QNAP NAS devices were also attacked.

That's was deflection.

ARE ANY OF THE ATTACKS FUELED BY UNCHECKED THIRD PARTY SOFTWARE THAT TERRA-MASTER REFUSED TO CHECK?
User avatar
REBELinBLUE
Posts: 29
Joined: 05 Dec 2021, 06:37

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by REBELinBLUE »

{L_BUTTON_AT}demetry14
demetry14 wrote:
> TMSupport wrote:
> > > >
> > This attack is an organized attack on TNAS, a variant of the eCh0raix
> > virus, which usually uses weak passwords or vulnerabilities to attack
> > victims. This time, Synology and QNAP NAS devices were also attacked.
>
> That's was deflection.
>
> ARE ANY OF THE ATTACKS FUELED BY UNCHECKED THIRD PARTY SOFTWARE THAT TERRA-MASTER
> REFUSED TO CHECK?

The exploit is literally in terra master's own software, no third party software needed.
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

A QNAP user has come out with a way to decrypt files from Echamonix and posted it here, maybe someone could do similar for TM?

https://github.com/rajeevbharol/Qlocker-Recovery

https://forum.qnap.com/viewtopic.php?f= ... &start=750
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

It relies on the attacker still encrypting files as you can then recover the password. So its not going to wok if the files are already encrypted and the encryption process has ended
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker »

Now getting press attention, (Hey I got a mention too :) )

https://nascompares.com/2022/01/18/terr ... ansomware/
User avatar
demetry14
Posts: 20
Joined: 22 Nov 2020, 05:23

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by demetry14 »

{L_BUTTON_AT}demetry14
REBELinBLUE wrote:
> demetry14 wrote:
> > TMSupport wrote:
> > > > > >
> > > This attack is an organized attack on TNAS, a variant of the eCh0raix
> > > virus, which usually uses weak passwords or vulnerabilities to attack
> > > victims. This time, Synology and QNAP NAS devices were also attacked.
> >
> > That's was deflection.
> >
> > ARE ANY OF THE ATTACKS FUELED BY UNCHECKED THIRD PARTY SOFTWARE THAT
> TERRA-MASTER
> > REFUSED TO CHECK?
>
> The exploit is literally in terra master's own software, no third party software
> needed.

Can you link me to the notification of the Terra-Master specific portion of the software and not the underlying Linux distribution that is the issue?
User avatar
Knurpel
Posts: 0
Joined: 20 Jan 2022, 00:36

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Knurpel »

The blame for the recent ransom ware attacks rests squarely on Terramaster’s shoulders. Terramaster markets its NASes “with home users in mind, as well as small and medium-sized businesses.” Most home users and many small businesses don’t have any cybersecurity knowledge, they trust the vendor to supply a secure product. Terramaster has betrayed and still does betray the trust of its customers.

Apart from the noted PHP vulnerability (that needs an at least mildly “professional hacker”) the Terramaster software looks like it’s written by an intern.

Freshly set up with TOS 4.2.18, my Terramaster F5-422 has the following ports open:

PORT STATE SERVICE VERSION
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/https
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
548/tcp open afp Netatalk 3.1.12 (name: TNAS-F2CA; protocol 3.4)
2049/tcp open nfs_acl 3 (RPC #100227)
8181/tcp open http nginx 1.18.0
49153/tcp open upnp Portable SDK for UPnP 1.6.22 (Linux 4.19.165+; UPnP 1.0)

In the default settings, the following services are enabled:
- SSH
- SMB (Windows file sharing)
- AFP (Apple file sharing)
- FTP, but NOT sftp
- NFS (Linux file sharing)
- UPNP
- BONJOUR

Under Security
- Automatic block was disabled
- DOS protection was disabled
- Firewall was disabled

Plain old FTP is a highly insecure file protocol, and according to Terramaster, this is how attackers gained access. It is highly irresponsible to enable insecure protocols by default.

To make matters worse, Terramaster tells its new users in the Help document to “Please turn on the router (router connected to TNAS) and TCP port forwarding. The ports below should be forwarded: 21 (default control connection) and 55536-56569 (passive data connection).”

If the neophyte home user succeeds in doing that, FTP on the NAS box will be available to the world. A little password cracking, and the data are toast. If the neophyte home user fails in forwarding the ports above, the likelihood of all parts eventually being forwarded via DMZ is very high. After all, “Demilitarized Zone” sounds very safe, and presto, all ports of the Terramaster box will be wide open to the world.

Mind you, this was a fresh install, with the 4.2.18 operating system, downloaded TODAY, a week after the ransom attack was disclosed. I happened to receive my F5-422 on January 11, 2022, the very day Terramaster disclosed the attack. On that day, the operating system was version 4.2.17. I don’t see much change in the 4.2.18 security posture, actually, it got worse: Port 49153/tcp upnp was not left open with the previous version.

By delivering its products with insecure default settings, Terramaster is doing just the opposite of what it recommends its customers to do:

“Disable port forwarding on your router.” - The Help text recommends to enable it.
“Disable the UPnP function on your TNAS.” – The default setting enabled it.
“Change the default port of FTP” – The default setting was default 21. And changing default port numbers is no security. Any self-respecting 10 year old has a copy of nmap these days, and it takes nmap less than a minute to detect what’s behind an obfuscated port number.
“Enable firewall” – The default was Firewall disabled
“Avoid using default port numbers 5443 for https and 8181 for http” – Default https port is 443, and 80 for http. Changing port numbers brings no security. See above.
“Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts” – It was disabled by default.

This is how Terramaster MUST deliver its products:
- NONE of the above network services should be enabled by default, none at all.
- Any services should be opened on demand only, and only with the appropriate security warnings.
- Insecure protocols like TELNET and plain old FTP should not be in the box.
- The only port I would want to see open initially is 443/https. Most modern browsers will issue a security warning with unencrypted traffic over port 80, and who knows who/what is lurking on a private network.
- Port forwarding should NOT be encouraged. Port forwarding is dangerous, especially in the hands of neophyte. It increasingly won’t work at all as CGNAT spreads. In most cases, access from the outside is not necessary. If outside access is required, it should only be enabled via a private tunnel such as TNAS.online. However, the customer needs to be aware that with TNAS.online all security will be out of the window should TNAS.online be breached.
- Initially, the Firewall should only allow access from the IP from where the NAS was installed. Any additional Ips need to be opened on demand.
- RSYNC only over SSH, encrypted with public/private key
- SSH only with public/private key

All of the above probably is way over the heads of most Terramaster users. Terramaster needs to make available a script that automatically enables all security measures above.

Parting thoughts: By insisting on baking a private Linux, Terramaster actually makes its Linux insecure:

- Instead of automatic updates of standard distros, Terramaster must manually backport any fixes, a losing proposition.
- A custom Linux advertises to any drive-by scanner that most likely, it is the OS of a NAS. Within a few seconds, aforementioned nmap identified my F5-422 as a promising target, just by fingerprinting its FTP port 21 that was left open in the install:
“Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%).”
- A custom Linux makes it hard for the expert to harden the security. There are no package managers, no apt, no yum. Standard services like ssh are needlessly renamed
User avatar
titanrx8
Posts: 222
Joined: 17 Jul 2020, 06:17

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by titanrx8 »

I have created some firewall rules and my internet status shows as disconnected.

The TOS servers don't need access to the internet except for some updates from Terramaster. What rules would I need to add in order to provide this limited access?

Also, since I have devices mapped to folders on the TNAS units, what vulnerability does that potentially present and how can that be blocked?

Thank you.
User avatar
Knurpel
Posts: 0
Joined: 20 Jan 2022, 00:36

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Knurpel »

Internet access: You could enable Internet access only temporarily for the update. Or you could create a firewall rule to allow outgoing service only to the IP(s) of the Terramaster update server. To find out those IPs would take some sleuthing, or you could ask Terramaster support.

Devices mapped to folders on Terramaster: The data on those shares would likewise be in jeopardy during a ransomware attack,
Post Reply