Urgent Notification about TNAS being Attacked by Ransomware

[Jac de Lad]

....then this won't be an option for me (and most of us I assume), because we would lose most functions. Hard to find a balance between usability and security.

[CapCaveman]

Charlie_Croker wrote:
> More on the QNAP attacks and its possible there is a shared vulnerability.
>
> While the company (QNAP) did not share any other details on these active
> attacks, BleepingComputer reported on QNAP customers saying their systems
> were targeted with eCh0raix ransomware (also known as QNAPCrypt).
>
> These incidents follow an increase in activity right before Christmas and
> are using an unknown attack vector.
>
> However, some of the users' reports seen by BleepingComputers link
> successful ransomware attacks to improperly secured Internet-exposed
> devices. Others have also claimed that the attackers exploited an
> unspecified QNAP Photo Station vulnerability.
>
> BleepingComputer has seen ech0raix ransom demands ranging from $1,200 to
> $3,000 worth of bitcoins during these recent attacks. Some of them were
> paid because the victims didn't have a backup of the encrypted files
>
> QNAP devices were previously targeted by threat actors using eCh0raix
> ransomware in June 2019 and June 2020, with the NAS maker also alerting
> users of another series of another surge of eCh0raix attacks targeting
> devices with weak passwords in May 2021.

I got hit this month. Analyzing how they got it was because of an internal attack. My son was trying Multi GBA S for Android and hours later I got hit. Checking the TNAS logins, there is a login from 209.141.41.x and 209.141.42.x, then from his Android phone. I can confirm his phone was infected because he had several . encrypted files on his documents.
I think this was a coordinated attack from apps in phones which were inside of the network. This is the app I refer to:

https://play.google.com/store/apps/deta ... networkgba

I will be contacting Google regarding it. The apps does no have a trojan, but it asked for full google permissions and you need to connect to their servers. I believe this was the hackers way in.

I will harden my Nas, accept lost files and double check apps before downloading them.

Hopefully the Terramaster team can make tests and confirm this was the infection entry used.

[Charlie_Croker]

CapCaveman wrote:
>
That would be an interesting attack vector. I tend to use VLANS to keep my IOT, and devices that will never need access to my NAS drives (I have three and all three have been the victims of attacks, well not my own devices , but other peoples by the same manufacturers).

So I would recommend putting all devices that don't need access to the NAS on a separate VLAN https://www.youtube.com/watch?v=jC6MJTh9fRE

[Charlie_Croker]

Jac de Lad wrote:
>
I would recommend doing it, (Blocking WAN access) at least until the attack vector is patched.

[CapCaveman]

Thanks. Already did.

[sports_wook]

{L_BUTTON_AT}TMsupport

One thing that is maddening about this is the suggestion to use ClamAV from the Applications center. This app does NOT function properly and it's offensive and infuriating that this is a "suggested" method to avoid these attacks. I have tried the full scan multiple times, which takes hours upon hours, and it never completes as far as I can tell. I initiate a scan and periodically check back to ensure it is still running, but never know if it fully completes or times out and stops on its own because there is nothing in the scanning results. No history of successful or unsuccessful scans or files with potential issues - the Scan Results section is completely empty even after trying to scan multiple times over the past 2 weeks.

On top of that, the virus definitions do not update. I had to SSH in to my device and manually edit the conf file (/etc/freshclam.conf) to even bring the virus definitions up to date. This is unacceptable, especially after the string of recent attacks that are targeting TerraMaster devices specifically.

You pump up your products on social media with baseless claims touting features that do not function properly or are incomplete/not released. You boast about your device's security, yet when a threat arises you are nowhere to be found for your customers. Security does not come from self-proclamations on social media. It is derived from paying close/serious attention to current trends and threats. Keeping your customers informed. Ensuring that your system and its recommended security applications are up to date and functioning properly - IN A TIMELY MANNER.

Why would you offer services such as email server, web server, etc. and then suggest we close the devices to the internet? That's what these products are intended to do - connect to the internet. I understand that exposing any device to the internet is an inherent risk, but that's the most common purpose of an NAS. I accept the risk but protect myself by taking the proper precautions over multiple layers of protection on my network. But I no longer feel safe or protected using this device due to your laziness and slow call to action. Despite all of the precautions I take on my devices and network, it seems that it's only a matter of time until I lose all of my data because you refuse to address these issues. It's a matter of when, not if, my system will be compromised.

There's a lot of disdain on this forum for ongoing issues with certain services or features, and rightfully so, but I have hesitated to contribute to the bashing of TerraMaster as I didn't find it to be productive . But now that security is an issue and you are recommending us to install your broken AV application, I felt it was time to speak up. This is unacceptable, and the next time I need an NAS I will be shopping elsewhere. I have long recommended your devices to friends and colleagues, but no more. You don't take security or your customers data seriously, which is scary and sad for the user.

[Jac de Lad]

Charlie_Croker wrote:
> Jac de Lad wrote:
> >
> I would recommend doing it, (Blocking WAN access) at least until the attack vector is
> patched.
Thanks, but I'm alread using Synology. I was attacked yesterday (6 times, all blocked). Going offline is not an option, also Thai would render the NAS senseless, I could use an external drive instead. However, my two remaining Terramaster don't host valuables, so if it happens, it happens. My valuables are in a safe backup.

[sports_wook]

{L_BUTTON_AT}TMzethar

[Charlie_Croker]

sports_wook wrote:
>
I can understand your frustration, ClamAV would not be able to prevent these kind of attack vectors in any case.
But every NAS manufacturer has been targeted in the last year or so. (QNAP multiple times and they have warned users to remove devices from the internet, I will place links below). Only asustor devices don't seem to have been hit (yet).

This site lists all the latest security issues and its worth staying on top of the news. https://www.bleepingcomputer.com/news/security/

The issue isn't entirely TM's fault (Although advising users to disable the "admin account" when this isn't possible on TNAS, doesn't bode well. talk about shoot yourselves in the foot). TMRoy is obviously part of customer services/public relation and not tech support and I'm guessing English is his second language, so sometimes he makes mistakes. (I live/work in Middle East and my Arabic is far worse!).

I think the issue will be a fundamental zero day with part of Linux as its hit QNAP as well.

Snap advises users (3 days ago)
https://www.techspot.com/news/92909-qna ... ected.html

Western Digital attack (June 21)
https://www.techradar.com/uk/news/weste ... ets-device

Synology warns users (Aug 21)
https://www.bleepingcomputer.com/news/s ... ansomware/

[Saijin_Naib]

REBELinBLUE wrote:
>
Thanks for that.

So to confirm, allowing a range forces the TOS firewall to REJECT every other connection that does not match this rule?