Asustor Nas Randsomware

[ICEconchy]

Summary

Many Asustor branded nas's have been hit with a randsomware attack that liked stemed from their EzConnect service

 

Quotes

Quote

Details are still emerging, so I will keep this article short and sweet for now (and add more later as details emerge), if you own an Asustor NAS drive, check it immediately! Regardless of whether you have enabled remote access via EZConnect or not (as that is not necessarily the key to the attack vector and possible remote DLNA port changes by your system, for example), check it now and ideally disconnect it from the internet.

 

My thoughts

 As someone who has an Asustor nas that was hit with the randsomware. I'm quite annoyed. No backup as it was just extra storage for me but still hurts as my dad uploaded a few photos that are no longer available. Hopefully they find a way to decrypt it soon. Meanwhile my nas is shutdown to stop anything from happening.

 

Sources

https://nascompares.com/2022/02/21/asustor-nas-drives-getting-hit-by-deadbolt-ransomware/

 

Latest posts from asustor can be found here as well: https://support.asustor.com/

 

[Franck]

Good they put a bitcoin address now they just have to follow it and find the person.

[Heliian]

I despise ransomware and the goons who use it.  

Losers trying to justify their criminality by blaming asustor security. 

These people live on a rung below scalpers. 

[da na]

...and this is why I built my own NAS.

[ICEconchy]

5 minutes ago, Mel0nMan said:

...and this is why I built my own NAS.

I'd love to build a nas. But it has to be accessible to my parents who aren't that tech savy and cheap for them. If you've got any recommendations I'd love to hear them, send a DM if you're willing to share.

[Forbidden Wafer]

21 minutes ago, ICEconchy said:

I'd love to build a nas. But it has to be accessible to my parents who aren't that tech savy and cheap for them. If you've got any recommendations I'd love to hear them, send a DM if you're willing to share.

There really isn't an easy way to setup a NAS easily and cheaply, unless you're using an old PC.

I got myself a Kobol Helios 64, but the company went under a few months ago. Which is a shame since the NAS is great. Software is like: whatever the community provides.

[Quackers101]

1 hour ago, Forbidden Wafer said:

There really isn't an easy way to setup a NAS easily and cheaply, unless you're using an old PC.

would love a NAS setup, but like every exploit or meassure one has to do... feels like too much work and keeping up with patches and security risks.

[Franck]

5 hours ago, Mel0nMan said:

...and this is why I built my own NAS.

Even if you build your own ANS you are not safe from an attacker more than anything else.

[wanderingfool2]

4 minutes ago, Franck said:

Even if you build your own ANS you are not safe from an attacker more than anything else.

You actually kind of are though.  From what this case seems to be, it appears as though the vulnerability might have come from the fact that the NAS was opening ports and connections via EZ Connect...that sort of vulnerability wouldn't exist as much in a home built NAS.

 

My guess is that EZ Connect is enabled by default as well (because it means users can just use it out of the box and maybe remotely?)  I don't know, I never used or looked into ASUStor NASes before.  Chaulk another one up to an internet connected device that makes the users vulnerable (thinking imagine if a small business had something like this, and instead of randomware they used it to attack the internal network...or distribute viruses to the entire LAN)

[Forbidden Wafer]

2 hours ago, wanderingfool2 said:

it appears as though the vulnerability might have come from the fact that the NAS was opening ports and connections via EZ Connect...that sort of vulnerability wouldn't exist as much in a home built NAS.

Hmm, and then you setup Docker to host something, disable the firewall or let UPnP do its **magic** and you're suddenly exposing an administrative endpoint with administrative powers. I'm dead serious, it happened. That is why they started supporting rootless operation, Podman exists, etc.

 

6 hours ago, Quackers101 said:

would love a NAS setup, but like every exploit or meassure one has to do... feels like too much work and keeping up with patches and security risks.

I have mine, but only really turn it on a few times per month to sync my local backups and my github/gitlab repos to the local gitea server (I'd prefer gitlab, but uses too much memory for my poor NAS).

[wanderingfool2]

6 minutes ago, Forbidden Wafer said:

Hmm, and then you setup Docker to host something, disable the firewall or let UPnP do its **magic** and you're suddenly exposing an administrative endpoint with administrative powers. I'm dead serious, it happened. That is why they started supporting rootless operation, Podman exists, etc.

Yes, but that is taking actual user actions and users doing something foolish.  Asustor it would I'd assume be on by default, and likely more of a pain to turn off all the online features.

[williamcll]

I guess I'm glad I bought QNAP instead?

[mr moose]

"this is not personal" ... WTF?   only a selfish arse biscuit with the social functioning skills of a molding turd on the dash of an abandoned car would think encrypting someone's files and then demanding money to give them back is not personal.

 

We call it theft, it is very personal and has absolutely nothing to do with security.

 

On 2/25/2022 at 4:58 PM, williamcll said:

I guess I'm glad I bought QNAP instead?

 

They got done a few years ago with a very similar attack.  None of them are safe unless you turn off all internet connectivity (even then there are likely holes).

[Kukielka]

On 2/23/2022 at 1:58 PM, Franck said:

Good they put a bitcoin address now they just have to follow it and find the person.

Ever heard of a Bitcoin Mixer?

[Dutch_Master]

3 hours ago, mr moose said:

We call it theft, it is very personal and has absolutely nothing to do with security.

You got me onboard until that last part. It has everything to do with security, or rather the lack thereof by default from the manufacturer. Having said that, the consumer shares part of the blame, by not setting up their own password but instead rely on known defaults from said manufacturer. One way to overcome this behaviour is to limit access to these IoT devices to the local network by default and if a user wants web access, the OS should mandate setting up a password that has no relation to the provided default (that is: the same but slightly altered, changing a single character is d@mn easy to break with a simple, 0.3 sec brute-force attack )

[ICEconchy]

2 hours ago, Dutch_Master said:

You got me onboard until that last part. It has everything to do with security, or rather the lack thereof by default from the manufacturer. Having said that, the consumer shares part of the blame, by not setting up their own password but instead rely on known defaults from said manufacturer. One way to overcome this behaviour is to limit access to these IoT devices to the local network by default and if a user wants web access, the OS should mandate setting up a password that has no relation to the provided default (that is: the same but slightly altered, changing a single character is d@mn easy to break with a simple, 0.3 sec brute-force attack )

The service that asustor offered, called ezconnect was supposed to be a secure way of connecting to your nas remotly, without having to port forward...
Guess  that went out the window huh?

[Fasterthannothing]

On 2/23/2022 at 1:41 PM, Franck said:

Even if you build your own ANS you are not safe from an attacker more than anything else.

 Not true it all yes you need to have some knowledge of security but you can lock down a custom NAS more than an off the shelf one. Not to mention all the bloatware that causes this type of stuff being pre-installed.

 

[Dutch_Master]

1 hour ago, ICEconchy said:

The service that asustor offered, called ezconnect was supposed to be a secure way of connecting to your nas remotly, without the user having to have port forwarding knowledge...

There, I corrected that for you

[wanderingfool2]

3 hours ago, Dutch_Master said:

You got me onboard until that last part. It has everything to do with security, or rather the lack thereof by default from the manufacturer. Having said that, the consumer shares part of the blame, by not setting up their own password but instead rely on known defaults from said manufacturer. One way to overcome this behaviour is to limit access to these IoT devices to the local network by default and if a user wants web access, the OS should mandate setting up a password that has no relation to the provided default (that is: the same but slightly altered, changing a single character is d@mn easy to break with a simple, 0.3 sec brute-force attack )

 

At the 2:47 mark, the system during the setup process requires entering in a password and not only that but tells you whether it's a weak password.

 

By the looks of things, it almost seems as though someone found a vulnerability in ezconnect; so nope not the user fault really.  I doubt that it even required a password to exploit.  Actually the fact is it's not really the users fault for devices that effectively autoconnect to the internet that are marketed towards novices.  Those kinds of devices should either not do it, or do it in the way that the user can't make those kinds of mistakes.

[Master Disaster]

There's more this to than just EzConnect. My Synology has the exact same feature and its essentially just a VPN service hosted by Synology. Connecting allows me to view files, download, move/copy etc etc. It most certainly does not allow me to execute code on my NAS, that requires SSH which does require the user open ports and have a secure password for external access. It also doesn't allow uploads though the web interface either.

 

Unless EzConnect has the ability to execute terminal commands (which if it does is the dumbest thing I've heard in a long time) the ransomware must have used an exploit to deliver the payload and get RCE.

 

EzConnect might be the entry point but I cannot imagine it also being payload delivery and execution. If it is then WOW, AsusTOR fucked up.

[mr moose]

14 hours ago, Dutch_Master said:

You got me onboard until that last part. It has everything to do with security, or rather the lack thereof by default from the manufacturer. Having said that, the consumer shares part of the blame, by not setting up their own password but instead rely on known defaults from said manufacturer. One way to overcome this behaviour is to limit access to these IoT devices to the local network by default and if a user wants web access, the OS should mandate setting up a password that has no relation to the provided default (that is: the same but slightly altered, changing a single character is d@mn easy to break with a simple, 0.3 sec brute-force attack )

This has nothing to do with security,  their motivation is purely greed.  You do not need to extort money out of innocent consumers to prove a point or fix a security problem.  There are plenty of ways to hold Asustor to account for their practices without hurting innocent people. But hey, they wouldn't make them any money would it?

[FloRolf]

15 hours ago, Master Disaster said:

It [Quickconnect] also doesn't allow uploads through the web interface either.

Ugh well but it does? At least I can do it and I have not seen an option to turn it off. Even then I wouldn't really because I use it for example to sync photos. 

[Master Disaster]

4 hours ago, FloRolf said:

Ugh well but it does? At least I can do it and I have not seen an option to turn it off. Even then I wouldn't really because I use it for example to sync photos. 

Nah, not QC, Synology Connect (which is their version of the same thing).