Charlie_Croker wrote:
> More on the QNAP attacks and its possible there is a shared vulnerability.
>
> While the company (QNAP) did not share any other details on these active
> attacks, BleepingComputer reported on QNAP customers saying their systems
> were targeted with eCh0raix ransomware (also known as QNAPCrypt).
>
> These incidents follow an increase in activity right before Christmas and
> are using an unknown attack vector.
>
> However, some of the users' reports seen by BleepingComputers link
> successful ransomware attacks to improperly secured Internet-exposed
> devices. Others have also claimed that the attackers exploited an
> unspecified QNAP Photo Station vulnerability.
>
> BleepingComputer has seen ech0raix ransom demands ranging from $1,200 to
> $3,000 worth of bitcoins during these recent attacks. Some of them were
> paid because the victims didn't have a backup of the encrypted files
>
> QNAP devices were previously targeted by threat actors using eCh0raix
> ransomware in June 2019 and June 2020, with the NAS maker also alerting
> users of another series of another surge of eCh0raix attacks targeting
> devices with weak passwords in May 2021.
I got hit this month. Analyzing how they got it was because of an internal attack. My son was trying Multi GBA S for Android and hours later I got hit. Checking the TNAS logins, there is a login from 209.141.41.x and 209.141.42.x, then from his Android phone. I can confirm his phone was infected because he had several . encrypted files on his documents.
I think this was a coordinated attack from apps in phones which were inside of the network. This is the app I refer to:
https://play.google.com/store/apps/deta ... networkgba
I will be contacting Google regarding it. The apps does no have a trojan, but it asked for full google permissions and you need to connect to their servers. I believe this was the hackers way in.
I will harden my Nas, accept lost files and double check apps before downloading them.
Hopefully the Terramaster team can make tests and confirm this was the infection entry used.