• March 28, 2024, 06:04:29 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2 3

Author Topic: Ransomware Infects D-Link NAS Devices  (Read 21750 times)

iker

  • Level 1 Member
  • *
  • Posts: 3
Ransomware Infects D-Link NAS Devices
« on: February 24, 2019, 02:20:29 AM »

I found out yesterday that it looks like there is a ransomware acively attacking DNS-320 and DNS-320L/LW (maybe more models are affected) and encrypting all your files. There is not much info about it, but according to some affected users, they were in old firmware versions with the web interface and ftp exposed to the internet. They still dont know exactly how the ransomware attacked the NAS so this is only a theory and it could be a different atack. I hope that the vulnerability is solved in newer firmware versions, but anyway you should always avoid exposing the web interface to the internet in this and in any device.

https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #1 on: February 24, 2019, 11:07:42 AM »

What version of FW are you using?

The use user did mention "My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01."

So at this stage anything was possible.

Since v1.11 is most currently we can only hope that users would and should be already on this version of FW and would help avoid this kind of compromise.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #2 on: February 25, 2019, 03:03:37 AM »

Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #3 on: February 25, 2019, 07:28:19 AM »

Link>Welcome!

  • Link>What Firmware version is currently loaded? Found on the DNSs web page under status.
  • What region are you located?

What Mfr and model is the main host router?

What version of FW are you using?
What do you mean by attacked?
How did you determine your DNS was attacked?

Using the DMZ is not recommended for NAS devices.

Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #4 on: February 25, 2019, 07:58:15 AM »

Hello!
So I have a DNS-320 v A2 used for local storage and file exchange for a small business. A few weeks ago, I wanted to have distant access to some files, so I used port forward and DMZ from my router to achieve this.
Today, most of my files appeared to be corrupted. I found two files that stated all corrupted files are now encrypted. With a little search online i came across to this article.
Thankfully I had a full backup and the damage was minimal. At the moment I wasn't using the latest FW on the NAS.

My router is a ZTE Speedport Entry 2i. I don't think that the DNS was attacked. All I think is that having enabled DMZ and Port Forwarding was a huge mistake, despite using a 10chars long password for NAS access (with upper and lower case letters, numbers and symbols).
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #5 on: February 25, 2019, 08:01:57 AM »

Are ALL files on the DNS corrupted?

What version of FW are you using on the DNS?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: Ransomware Infects D-Link NAS Devices
« Reply #6 on: February 25, 2019, 08:06:21 AM »

This has been reported to the D-Link security team.
Logged

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #7 on: February 25, 2019, 08:14:23 AM »

Not all files were corrupted/encrypted. There was a file created "_Cr1ptt0r_logs.txt" with the following format:

encrypting using public key: 066d97d8756b5388ca7b74594a9563f04232b38361c20c0056a0ff9dc1a6f253
encrypted: /mnt/web_page/goweb.htm

and followed for all the files that appeared to be corrupted.
At that moment I had FW 2.03. Now I have FW2.05B10.

One weird thing that I saw was under Account management -> Users/Groups there was a user named "remote" assigned to groups "sudo" and "wheel". I never created such a user/groups.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #8 on: February 25, 2019, 08:23:28 AM »

What region are you located?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #9 on: February 25, 2019, 08:32:04 AM »

Greece
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #10 on: February 25, 2019, 09:19:10 AM »

Do you have any back up of the contents of the drives in the DNS?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #11 on: February 25, 2019, 09:21:49 AM »

Yes I had a full backup two days ago. Thankfully I had scheduled backup every two days.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #12 on: February 25, 2019, 09:30:22 AM »

Where are you getting v2.XX FW from?
I'm only seeing v1.11 for A series models?
https://eu.dlink.com/gr/el/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support


I presume you may need to restore from back up these files...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

arisermpo87

  • Level 1 Member
  • *
  • Posts: 7
Re: Ransomware Infects D-Link NAS Devices
« Reply #13 on: February 25, 2019, 09:37:02 AM »

Those FW are for the 320L model. I have the 320 model. I already restored my backup at a local drive.
My question is, is it safe to use the NAS (after formating the drive and disabling port forward?)

edit: Thanks for your help!
« Last Edit: February 25, 2019, 09:40:29 AM by arisermpo87 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Ransomware Infects D-Link NAS Devices
« Reply #14 on: February 25, 2019, 09:59:04 AM »

You should be ok.
You might file a support ticket or contact your regional D-Link support office about this and let them know what happened.

Just keep the DNS out of the DMZ.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.
Pages: [1] 2 3