Urgent Notification about TNAS being Attacked by Ransomware

Official announcements and forum rules.
User avatar
crisisacting
Posts: 32
Joined: 20 Jan 2022, 16:42

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by crisisacting » 01 Mar 2022, 16:00

Charlie_Croker wrote:
> You can test what ports are open and whether Upnp is on, by going here and selecting
> the various options. https://www.grc.com/x/ne.dll?rh1dkyd2

That link does not directly lead to the test, however it's accessible through https://www.grc.com/shieldsup

User avatar
Charlie_Croker
Posts: 75
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker » 01 Mar 2022, 16:09

deex wrote:
> >> From what I see on this forum last time they said "It's your fault if
> it's not secure"; all the passwords I have on the device are randomly generated
> and secure, the attackers are providing a solution to Terramaster (it's a lot of
> money, granted!) but we're still being left in the dark<<
>
> This is exact what i feel especally with posts of charlie crooker, not able to
> explain the correct format of IP Table inputs but blaming users for a security whole
> that is not made by them. If your company data is on the NAS you can't just testing
> arround with IP Formats, it might possible that you cut of all connections and are
> not gaining access again. I work a long time with Linux server and trust me you could
> do a lot of bad things with wrong ip table formats especially if you have no recovery
> access as backup .
>
>
> First of all to my previous statement.
>
> 1) I have two firewalls, in my cisqo switch and in the router, the nas was not
> exposed to the internet from the firewalls i also checked it with external requests
> to my public ip.. but well seems that it WAS possible
>
> 2) To the rude questions why i did not change the port.
> Because I DIDNT KNOW about the risk of the issue, i got NO Mail, No forced Firmware
> Upgrades, no info at all and i have work to do i havent the time to check every day
> the forums here (think about i would to this all my hardware)
>
> The only thing that brought me the issue to the attention was strong blinking NAS
> LEDs and i was on the way to check my nas whats going on
>
> A bit luck for me
>
> I installed the drives to my Windows PC, Installed KALI Linux via VMWARE,- Converted
> and mounted the RAID and finally found my backup Data intact. Whats not so good is
> that i needed to buy some Hardrives to merge my untouched data with my backup files.
>
> So as i rember right all that i had open was SAMBA.
>
>
> I had a real bad day.. but what makes me more sad is not what the hacker do... it is
> sad that all NAS Systems have these extreme bad security status. It is a shame..


1. To test what ports are exposed just go here and it will test https://www.grc.com/x/ne.dll?rh1dkyd2 it will also test if you have a Upnp vulnerability. What make and model of Router and switch are you using, are they on latest firmware? I'm, confused that you have a switch with a firewall, I presume its a layer 3 switch, I have never heard of Cisqo so I presume you mean CISCO? Anyway read this https://security.stackexchange.com/ques ... r-than-one


2. There were no rude questions get off your high horse and chill. If you read page one of this thread, you would see amongst the advice offered by TM was to change these ports. I was confused/bemused by your statement that "I had asked many times about configuring the firewall", when it was your second post on this whole forum. But I wasn't rude, I was wondering what you meant.

2. You don't need to mess around with IP tables. I posted a video about how to setup firewall rules. If I can do it, then I am sure you can.

3. If the only service you had running was SAMBA then it would appear that either TM expose ports through some nefarious means, or your network is vulnerable.

User avatar
Bellcorp
Posts: 0
Joined: 01 Mar 2022, 07:45

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Bellcorp » 01 Mar 2022, 16:13

effectively terramaster is skipping the buck, I'm talking to the support chat and they're ignoring the issue, it's incredible that this happens, if we can't sue them then we'll be alone with this problem, this can make me decide to get rid of this server and do it another way, this is a mess

User avatar
crisisacting
Posts: 32
Joined: 20 Jan 2022, 16:42

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by crisisacting » 01 Mar 2022, 16:15

iano wrote:
> I just got hit by this.
>
> Pretty appalling to realise that Terramaster knew about this and hadn't
> pushed messages to me via the nas or attempted direct update to TNAS or
> attempted to contact me directly in any way.

Actually, due to acts like GDPR, manufacturers cannot push messages like that without you opting in, just like direct updating would require similar consent.

For whatever reason, that opt-in nor signing up to become a Terra-Master Insider (which does email about such updates) is not part of their setup wizard for TNAS, however the latter is on their website @ https://www.terra-master.com/global/contact-us/

User avatar
Charlie_Croker
Posts: 75
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker » 01 Mar 2022, 16:33

crisisacting wrote:
> iano wrote:
> > I just got hit by this.
> >
> > Pretty appalling to realise that Terramaster knew about this and hadn't
> > pushed messages to me via the nas or attempted direct update to TNAS or
> > attempted to contact me directly in any way.
>
> Actually, due to acts like GDPR, manufacturers cannot push messages like that without
> you opting in, just like direct updating would require similar consent.
>
> For whatever reason, that opt-in nor signing up to become a Terra-Master Insider
> (which does email about such updates) is not part of their setup wizard for TNAS,
> however the latter is on their website @
> https://www.terra-master.com/global/contact-us/

I'm not certain that is against GDPR, It would depend on the T&Cs in the software agreement we all signed up for when we installed TOS. I know QNAP have pushed FW updates to NAS recently, without their permission https://www.reddit.com/r/qnap/comments/ ... elf_to_50/

User avatar
iano
Posts: 3
Joined: 24 May 2021, 23:59

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by iano » 01 Mar 2022, 16:48

ok, I'm getting over my frustration and disappointment in TM, so starting to think about practical steps.

1. report it as a crime
2. see what can be recovered if anything

I'm a home user with limited (but some knowledge of SSH/linux etc)

The NAS is off and I have a back up albeit pretty oldish. I've read the thread.

Is the encryption exploit limited to the OS of theTNAS, i.e. if Ican pull files off it via samba with the internet access off, or via direct connection to a win10 laptop, are those files (if there are any unencrypted) safe to move and they won't carry the infection with them ontonew disks/devices?

User avatar
Charlie_Croker
Posts: 75
Joined: 07 Oct 2020, 19:05

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Charlie_Croker » 01 Mar 2022, 17:43

iano wrote:
>
Deadbolt is believed to only fact NAS drives, its already hit QNAP, Asustore etc. Believed to be fafe to copy the unencrypted files to back them up.
It might also be worth copying encrypted files to a separate drive, in case a way to decrypt them is found.

User avatar
Bellcorp
Posts: 0
Joined: 01 Mar 2022, 07:45

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by Bellcorp » 01 Mar 2022, 17:52

current ransom price today is €1158.46

User avatar
iano
Posts: 3
Joined: 24 May 2021, 23:59

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by iano » 01 Mar 2022, 18:26

Charlie_Croker wrote:
> Deadbolt is believed to only fact NAS drives, its already hit QNAP, Asustore etc.
> Believed to be fafe to copy the unencrypted files to back them up.
> It might also be worth copying encrypted files to a separate drive, in case a way to
> decrypt them is found.

Thanks Charlie

User avatar
crisisacting
Posts: 32
Joined: 20 Jan 2022, 16:42

Re: Urgent Notification about TNAS being Attacked by Ransomware

Post by crisisacting » 01 Mar 2022, 18:29

Charlie_Croker wrote:
>
> I'm not certain that is against GDPR, It would depend on the T&Cs in the software
> agreement we all signed up for when we installed TOS. I know QNAP have pushed FW
> updates to NAS recently, without their permission
> https://www.reddit.com/r/qnap/comments/ ... elf_to_50/

If the EULA on their website @ https://www.terra-master.com/global/eula/ is the same as the one presented during setup, although updates are not mentioned directly, it does state this:

9.During the warranty period, TerraMaster will provide support service and make reasonable efforts to correct or replace any Software that does not satisfy the warranty clauses.

10.TerraMaster and its suppliers do not warrant that the Software is free from any bugs, errors, viruses, and other defects.

& points 11 & 12 are explicitly in place to protect themselves.

Additionally, this is a Mainland China based company, so …

Post Reply