Re: New Checkmate Ransomware Threatening Your NAS Devices
Posted: 13 Jul 2022, 10:44
{L_BUTTON_AT}TMroy
Bug Reports, Operation Guides, and Experience Sharing
https://forum.terra-master.com/en/
Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?TMroy wrote: ↑08 Jul 2022, 23:07 According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.
Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar
Your TNAS is also highly likely to be targeted.
Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
Does your firewall log all outbound flows? Should be relatively easy to see which site Plex is pinging when you open the firewall. then write a rule to allow that exception.CapCaveman wrote: ↑20 Jul 2022, 01:14Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?TMroy wrote: ↑08 Jul 2022, 23:07 According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.
Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar
Your TNAS is also highly likely to be targeted.
Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
And how do you do that?Saijin_Naib wrote: ↑14 Jul 2022, 08:06 ARM implementation of TOS 4.x is missing a ton of features, among them any way to set the SMB version and parameters like the x86 TOS users can. So, you don't have that control unless you drop into the shell via SSH and edit configs manually.