• March 28, 2024, 09:34:32 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DNS-345 & Cr1ptT0r ransomware  (Read 6697 times)

chris24747

  • Level 1 Member
  • *
  • Posts: 4
DNS-345 & Cr1ptT0r ransomware
« on: October 26, 2019, 05:38:35 AM »

Hi all.
         I'm not sure if this is a new development or not, the only DLink announcement i've seen (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10110) only refers to the DNS-32* range of devices.

I've just had my DNS-345 (which was + is running firmware DNS345.1.05b04(1.04.1107.2016) - which appears to be the latest) hit by the Cr1ptT0r Ransomware exploit. Judging by timestamps, it started on Wednesday morning, I discovered it on Friday evening - it' was only part way through.

Fortunately, I have an offsite backup so my data is fine, minus some content from the past couple of months - some of which i've been able to pull unencrypted from my 345.

Schoolboy error - the NAS was connected to the internet, port 443 forwarded etc. My post is therefore more of a warning to others, the DNS-345 is vulnerable to this exploit despite not being mentioned in that briefing unless there's another I havent found. Are D-link even aware that the exploit has evolved to the 345s (and others, maybe?).
The Cr1ptT0r version was v1.1.1 (found under the NAS_prog directory). Files are replaced, the names and file extension remain. I tried a couple of the decryptors out of interest, no luck there. The ransomware appears to zero over the original file, so the 'accidental deletion' type recovery tools wont be able to get them.

While i'm here.  I've flashed the firmware again, done a factory reset, re-formatted / rebuilt my disk array and, of course, removed the port forward.  Is there anything else I need to do to remove trace of this and prevent files from being re-encrypted once I restore them on?

I've got to say, this has left a real bitter taste in my mouth with DLINK. I know the DNS345 is out of support, but something as destructive as ransomware - I'd have hoped they might have done something as a gesture of goodwill.

I'll finish by reminding everyone to maintain proper backups.  Had I not, I'd have lots thousands of photos, documents, home movies.  In fact, if anything, I think this experience has convinced me to get another backup to grandfather my data.
« Last Edit: October 26, 2019, 05:41:11 AM by chris24747 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-345 & Cr1ptT0r ransomware
« Reply #1 on: October 26, 2019, 02:30:35 PM »

Thanks for letting us know about your experiences.
Sorry that this seemed to happen. All the years I've had my 345, Mines never been hit, though i've never opened any ports from the internet to any NAS I connect. So this is one on you rather then D-Link. Kind of hard for D-Link accept full blame for some hacks they don't know about. This hack effected more then just D-Link NAS's

Best thing is to keep ANY NAS from internet WAN access period. If you need remote access to certain files, out them in the cloud or have a different NAS unit, maybe something small that you can configure for WAN access if thats something you need.

I'll let D-Link know about this. Not sure if they will do anything for the 345. For now, keep it OFF the internet wan side.
You can setup some filters on your router to block any wan site access if you want to go deep to keep anything from access from the WAN side to the 345. Look for JavaLaywers quick guide for this.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

chris24747

  • Level 1 Member
  • *
  • Posts: 4
Re: DNS-345 & Cr1ptT0r ransomware
« Reply #2 on: October 27, 2019, 02:50:06 PM »

I wasn't trying to pin any blame on DLink for this occurring, especially if, like you say they were unaware of it. I've been extremely naive on connecting it to the internet. Hindsight is a wonderful thing.
The shameful part of this all is that I work in IT and have some background in security, proactive monitoring and the like, so I definately should have known better.

The point I was trying to make was more that I'd have hoped that if the 345 has the same weakness as the 32* family, they they'd have patched it the same as the others. Obviously if it's a new exploit or an evolution of the previous one, then fair play, nothing could be done as with any day0 malware.

I'd like to hope that if DLink have the opportunity, that they would look into how it occurred and patch, despite being out of support. Unfortunately I didn't grab any of the malicious files before formatting, so they won't come from me.
Microsoft patched XP 3 years beyond it's end of life date following WannaCry. I can only hope DLink follows in this example.

Meanwhile, data is restored and I'm more or less back to normal!
Logged

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: DNS-345 & Cr1ptT0r ransomware
« Reply #3 on: October 28, 2019, 06:53:33 AM »

Thanks for the information. I will forward this to the security team for review.
Logged