Urgent Notification about TNAS being Attacked by Ransomware
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Urgent Notification about TNAS being Attacked by Ransomware
Having trawled through my IDS/IPS records, has anyone else had attempts to ssh on port 223 from 85.209.0.186 (In the Russian Federation)?
- REBELinBLUE
- Posts: 30
- Joined: 05 Dec 2021, 06:37
Re: Urgent Notification about TNAS being Attacked by Ransomware
Saijin_Naib wrote:
> REBELinBLUE wrote:
> >
> Thanks for that.
>
> So to confirm, allowing a range forces the TOS firewall to REJECT every other
> connection that does not match this rule?
That *seems* to be the case from my experiments, once I did this the device wasn't able to resolve google.com for instance, I tried to add a "Reject" rule for all IPs afterwards and I just get a generic "configuration failed" message so it's not entirely clear.
It would be nice if someone from terra master would confirm
> REBELinBLUE wrote:
> >
> Thanks for that.
>
> So to confirm, allowing a range forces the TOS firewall to REJECT every other
> connection that does not match this rule?
That *seems* to be the case from my experiments, once I did this the device wasn't able to resolve google.com for instance, I tried to add a "Reject" rule for all IPs afterwards and I just get a generic "configuration failed" message so it's not entirely clear.
It would be nice if someone from terra master would confirm
- Saijin_Naib
- Posts: 79
- Joined: 23 Jun 2021, 01:19
Re: Urgent Notification about TNAS being Attacked by Ransomware
REBELinBLUE wrote:
>
> That *seems* to be the case from my experiments,
>
> It would be nice if someone from terra master would confirm
Yes, we need confirmation that this is in fact how the firewall works.
It is a bit concerning that we can't make a blanket exclude rule, however.
Thanks again for your assistance in this.
>
> That *seems* to be the case from my experiments,
>
> It would be nice if someone from terra master would confirm
Yes, we need confirmation that this is in fact how the firewall works.
It is a bit concerning that we can't make a blanket exclude rule, however.
Thanks again for your assistance in this.
Re: Urgent Notification about TNAS being Attacked by Ransomware
Hi everyone,
The first time I booted up my F5-221 a I had the "kinsing" cryptominer that got installed in merely seconds, upnp on both router and nas was cooperating to ruin my day ;). I wiped and started again.
And two days agos, 1.3TB of data lost on my F5-221, courtesy of "echoraix", I moved to another appartment, and for some reason my telco operator resetted the upnp setting + it went back on the nas after an os upgrade. I wiped and started again.
I'm not upset because I've got cold storage and stuff + the nas is monitored and I did not witness data leaking outside but yeah... I might be slightly mad this time.
I set a firewall rule as a result and so far it seems it works. Let's hope no device on my local network will be used to exploit the nas again.
I know Terramaster is not the bad actor here, but I heavily suggest you invest some time finding safe defaults from now on around firewalling, upnp and remote access.
The web interface is vulnerable and will be challenged again, that's life. Even biggest actors struggle to prevent major flaws to happen. I suggest some hardening here as well,
2612 root 20 0 34.6m 1.1m 0.0 0.1 0:00.00 S `- nginx
2613 root 20 0 51.7m 6.4m 0.0 0.4 0:00.62 S `- nginx
2614 root 20 0 51.7m 4.8m 0.0 0.3 0:00.05 S `- nginx
2615 root 20 0 51.6m 6.0m 0.0 0.3 0:00.00 S `- nginx
2616 root 20 0 51.8m 6.8m 0.0 0.4 0:06.01 S `- nginx
why is nginx root for example? Because php runs root level scripts?
Anyway, I wish you the best of luck, there's an angry mob because of some bad actors, you can't help this but no one deserve this.
We are all in this together.
Cheers,
The first time I booted up my F5-221 a I had the "kinsing" cryptominer that got installed in merely seconds, upnp on both router and nas was cooperating to ruin my day ;). I wiped and started again.
And two days agos, 1.3TB of data lost on my F5-221, courtesy of "echoraix", I moved to another appartment, and for some reason my telco operator resetted the upnp setting + it went back on the nas after an os upgrade. I wiped and started again.
I'm not upset because I've got cold storage and stuff + the nas is monitored and I did not witness data leaking outside but yeah... I might be slightly mad this time.
I set a firewall rule as a result and so far it seems it works. Let's hope no device on my local network will be used to exploit the nas again.
I know Terramaster is not the bad actor here, but I heavily suggest you invest some time finding safe defaults from now on around firewalling, upnp and remote access.
The web interface is vulnerable and will be challenged again, that's life. Even biggest actors struggle to prevent major flaws to happen. I suggest some hardening here as well,
2612 root 20 0 34.6m 1.1m 0.0 0.1 0:00.00 S `- nginx
2613 root 20 0 51.7m 6.4m 0.0 0.4 0:00.62 S `- nginx
2614 root 20 0 51.7m 4.8m 0.0 0.3 0:00.05 S `- nginx
2615 root 20 0 51.6m 6.0m 0.0 0.3 0:00.00 S `- nginx
2616 root 20 0 51.8m 6.8m 0.0 0.4 0:06.01 S `- nginx
why is nginx root for example? Because php runs root level scripts?
Anyway, I wish you the best of luck, there's an angry mob because of some bad actors, you can't help this but no one deserve this.
We are all in this together.
Cheers,
- REBELinBLUE
- Posts: 30
- Joined: 05 Dec 2021, 06:37
Re: Urgent Notification about TNAS being Attacked by Ransomware
Looks like it just uses iptables https://gist.github.com/REBELinBLUE/2f5 ... 7427134140 as lines 26/27 & 33/34 appear to be the rules I added but I don't know enough about iptables to confirm, all I know is outbound traffic does seem to be blocked
❯ ping -w 5 google.com
PING google.com (142.250.187.206): 56 data bytes
--- google.com ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
❯ ping -w 5 142.250.187.206
PING 142.250.187.206 (142.250.187.206): 56 data bytes
--- 142.250.187.206 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
But I dare not set up port forwarding on my router to see if I could access the NAS from outside given the recent security issue
❯ ping -w 5 google.com
PING google.com (142.250.187.206): 56 data bytes
--- google.com ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
❯ ping -w 5 142.250.187.206
PING 142.250.187.206 (142.250.187.206): 56 data bytes
--- 142.250.187.206 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
But I dare not set up port forwarding on my router to see if I could access the NAS from outside given the recent security issue
Re: Urgent Notification about TNAS being Attacked by Ransomware
fpsking wrote:
> My TNAS was up to date and i still got attacked with a text document
> telling me to follow the instructions to unlock it so i have Just lost
> years of family photos all my personal documents and work files.
>
> And your best answer for this is more or less unplug it from the internet
> restore it back to factory settings and format the drives unbelievable.
>
> I also tested all the antivirus/protection you offer in your apps section
> and not one of the detect it.
>
> How about you add 2 step authentication or something that works.
I did not intercept the payload (aka "the way in", the code that caused the encryption), but it looks like it exploited some flaw in the interface, my passwords are secure and the nas was resting idle.
2 steps authentication IMHO wouln't have done much. Antivirus might be useless when something happens in memory + we don't have samples of the malware yet. I could analyse that if someone had it. From the look of it it's an echoraix variant that hit me, .txtt file with instructions I didn't bother to read.
Sorry for your loss.
> My TNAS was up to date and i still got attacked with a text document
> telling me to follow the instructions to unlock it so i have Just lost
> years of family photos all my personal documents and work files.
>
> And your best answer for this is more or less unplug it from the internet
> restore it back to factory settings and format the drives unbelievable.
>
> I also tested all the antivirus/protection you offer in your apps section
> and not one of the detect it.
>
> How about you add 2 step authentication or something that works.
I did not intercept the payload (aka "the way in", the code that caused the encryption), but it looks like it exploited some flaw in the interface, my passwords are secure and the nas was resting idle.
2 steps authentication IMHO wouln't have done much. Antivirus might be useless when something happens in memory + we don't have samples of the malware yet. I could analyse that if someone had it. From the look of it it's an echoraix variant that hit me, .txtt file with instructions I didn't bother to read.
Sorry for your loss.
- REBELinBLUE
- Posts: 30
- Joined: 05 Dec 2021, 06:37
Re: Urgent Notification about TNAS being Attacked by Ransomware
I decided to test it anyway, set up port forwarding on my router and disabled that firewall rule, then tried connecting to it from my server
❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
HTTP/1.1 200 OK
Date: Wed, 12 Jan 2022 22:39:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: TerraMaster
Server: TOS/1.18.0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cross-Origin-Resource-Policy: same-origin
I could connect to the NAS (can't believe they include a X-Powered-By and Server header... that's a give away to hackers)
Then enabled the firewall rule
❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
curl: (28) Connection timed out after 5001 milliseconds
So looks like that works
❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
HTTP/1.1 200 OK
Date: Wed, 12 Jan 2022 22:39:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: TerraMaster
Server: TOS/1.18.0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cross-Origin-Resource-Policy: same-origin
I could connect to the NAS (can't believe they include a X-Powered-By and Server header... that's a give away to hackers)
Then enabled the firewall rule
❯ curl --connect-timeout 5 -I http://x.x.x.x:8181
curl: (28) Connection timed out after 5001 milliseconds
So looks like that works
Re: Urgent Notification about TNAS being Attacked by Ransomware
Hi! When adding a "Reject" rule, you can't deny all IPs, because then the device you are accessing the nas will be banned, which is the reason for the "configuration failed".REBELinBLUE wrote: ↑13 Jan 2022, 04:10
I tried to add a "Reject" rule for all IPs afterwards and I just get a generic "configuration failed" message so it's not entirely clear.
It would be nice if someone from terra master would confirm
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Re: Urgent Notification about TNAS being Attacked by Ransomware
Yes, if you set a "Allow" rule, then the IP that does not match this rule will be reject.Saijin_Naib wrote: ↑13 Jan 2022, 01:13
So to confirm, allowing a range forces the TOS firewall to REJECT every other connection that does not match this rule?
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- NavinKanus
- Posts: 1
- Joined: 13 Jan 2022, 11:02
Re: Urgent Notification about TNAS being Attacked by Ransomware
Can someone explain the steps to wipe and re-initialize my tnas device?
I know I lost my most valuable memories and documents but I want to get back to my work.
I know I lost my most valuable memories and documents but I want to get back to my work.