We were alerted initially by Synology that there have been a number of attacks targeting their units, then with a little time it became apparent that this was not just isolated to Synology units but all of the popular NAS units
- Buffalo LinkStations
- Western Digital My Cloud
So what does this mean and how does this affect the average business or home users...?
How these attacks are being done
Well basically its a brute force attack the culprits are using a program to find the IP address of NAS units then using the common usernames for device administrators and password libraries to attempt to log into your unit. Once in they then set about too encrypt your data and then block you from having access to your own files, and leave the below message letting you know what to do...
All your files have been encrypted. Your unique id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx You can buy decryption for 350$ in Bitcoins But before you pay, you can make sure that we can really decrypt any of your files. The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files. To do this: 1) Download and install Tor Browser (https://www.torproject.org/download/) 2) Open the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion web page in the Tor Browser and follow the instructions.
How do you prevent this from happening?
There are several things you can do to prevent these attacks, the best is to be aware of your security and actually follow good practices with regards to usernames, passwords and open ports. So here is what we are doing for the units that we manage;
- Change the ports to a custom range
- When a NAS unit is first set up all the ports are set to defaults, you should change these to a custom port number this way its harder for these attackers to find your unit in the first place.
- Change the Block failed login settings to - 3 attempts in 10 minutes
- Typically you will have a set number of attempts before the system will log your IP address, and then block it and notify the administrator of the failed logins we decrease this number and increase the time frame
- Complex passwords - https://www.dinopass.com - using upper, special, and numbers
- All passwords should be complex, so for example a typical example for our clients password would be ' Jumpy-Rabbit+95 '
- Activate DDOS on all ethernet ports
- By default most NAS units will have some form of DDOS protection on the incoming connections, network, virtual network etc.
- DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.
- Firewall Block all ports but ones being used
- Again by default most NAS units will have a firewall feature, sometimes this is 'Open' to all traffic you should always set the unit up to block all ports and then create a rule for each of the ports you want allowed this way again we are limiting the access to the unit and the chance of being attacked.
- MFA or 2FA on all administrator accounts
- Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
- Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
- We recommend the use of Microsoft Authenticator - https://www.microsoft.com/en-us/account/authenticator it is available on Apple OS and Android OS as well as being linked to work very well with Microsoft products.
Security for NAS units, Servers, Businesses and Home users is always going to be about having a multiple layered approach and ensuring that your systems, methods and security is kept up to date. This can be a time consuming process but if you have good practices from the beginning this will always reduce the risk of being attacked and losing your data, identity and records to the opportunistic attacks that are now a constant threat in this age of growing technology solutions and devices.
Reference websites used for both the research and also good links to assist with the security of your NAS units are;
- Reference and research sites
- Manufacture sites
- Synology Units - https://www.synology.com/en-global/solution/ransomware
- QNAP - https://www.qnap.com/en-au/security-advisory
- Buffalo - https://www.buffalo-technology.com/service-support/aktuelle-sicherheitshinweise/
- TerraMaster - https://www.terra-master.com/us/press/
- Western Digital - https://www.westerndigital.com/support