I get an email like this almost every day:
It is from one of my FreeNAS customers daily security run logs, emailed to our firstname.lastname@example.org alias. It is attempting a brute force attack trying to crack the authentication barrier via the exposed SSH port.
Just days after the installation was completed months ago, a bot has been doing IP port scans on our system, and found the SSH port open. (We used it for remote support). It has been trying every since, and we have been observing the source IP addresses.
The new Ransomware attack vector
This is not surprising to me. Ransomware has become more sophisticated and more damaging than ever because the monetary returns from the ransomware are far more effective and lucrative than other cybersecurity threats so far. And the easiest preys are the weakest link in the People, Process and Technology chain. Phishing breaches through social engineering, emails are the most common attack vectors, but there are vhishing (via voicemail) and smshing (via SMS) out there too. Of course, we do not discount other attack vectors such as mal-advertising sites, or exploits and so on. Anything to deliver the ransomware payload.
The new attack vector via NAS (Network Attached Storage) and it is easy to understand why.
NAS is the workhorse of the company. They serve many functions from user home directories, to file and web files storage, backup and archive and many more. Their market range from small medium businesses to the largest of enterprises. And a very large percentage is on the Windows file sharing via the SMB/CIFS protocol.
The sweet sound of honey to these ransomware hackers are:
- User files
User files are the one which gets encrypted. And these plentiful files in the NAS storage are accessed via many Windows file share clients. Once the ransomware payload is planted into a NAS storage, they act as trojan horses, waiting for the next victim to access the file. The spread via the NAS storage is far greater than infecting an individual PC. The surface magnitude of the attack is far more effective and damaging too.
Secondly, backup is the new favourite target for ransomware hackers. When a ransomware attack surfaces, the first thing to do is recover from the backup files. But if the hacker has already encrypted the backup files in stealth, there is no backup files to recover from.
eCh0raix and QNAP® Security holes
Several months ago, the eCh0raix ransomware was made known. It was targeted at QNAP® NAS storage, exploiting its vulnerabilities.
This new ransomware attack vector via NAS is becoming prevalent. Kaspersky brought this to the higher attention with their announcement last month and their announcement is completely congruent with the real life example of our customer experience described earlier. First the hackers IP port scans looking for open ports and then try to brute force the authentication front of one of the NAS services. In our case, it is the SSH port.
And ransomware is becoming more and more damaging. Just days ago, this headline came out:
Here is the link to the headline above.
Cyber Resilience Basic Practices
My team and I at Katana Logic constantly remind our customers to implement basic cyber security measures and cyber resilient practices. In the customer we mentioned, their initial NAS storage was QNAP®. They related to us that they lost about a month’s animation work because their files were encrypted by ransomware. Since refresh their NAS storage to FreeNAS™, things have gotten better.
But basic practices must be applied regardless, because the damage is way more costly than the cyber resilience investment in technology solutions. Here are a few general guidelines we impart to our customers:
- Identity Access Management
- Simple Active Directory implementation for basic authentication and authorization
- Update and patch your NAS Storage OS
- Disable SMB 1.0
- Upgrade to the latest version of the software and update to the latest patch
- Subscribing to software updates for auto updates and announcements
- Implement a robust security suite
- Do not use the “free” anti-virus or anti-malware
- Looking for a security suite which uses all signatures, heuristic and behavioural analytics
- Perform periodic security scan for open IP ports on the NAS and also the files that it stores. EDR (Endpoint Detection and Responses) has been a popular choice and their security features and capabilities range from vendor to vendor.
- Back up and Airgap your backup
- Do a fresh backup
- Replicate your backup to a second site (this creates the “Airgap” – the separation of both backup and replicated copy)
- Check out this ZFS replication implementation I wrote using FreeNAS™
- Train your people
- Try to recognize suspicious files or attachments or phishing/vhishing/smshing attempts
- Understand how files are “brought” into the company network – eg. USB thumb drives, emails, CV or resumes etc
- Use strong passwords and change regularly
In case of a ransomware infection,
- Disconnect all networks to the end device.
- This could be the NAS storage or the end point PC(s) and the action is to prevent further spreading
- Identify the ransomware
- Sometimes, there are known decryption keys provided by vendors or cybersecurity consultants. Here is one of the lists.
- Perform Restore from Backup
- Preferably in a sandbox or virtual environment where the files are contained
- Scan the restored files
- Do not pay ransom
While the provided basic practices and guidelines are not 100% foolproof, these simple measures can mitigate a significant part of a ransomware’s damage to the customers’ files.
Security considerations in FreeNAS™ and TrueNAS™
My company, Katana Logic is an iXsystems reseller. We often encounter customers and potential customers about the cyber security considerations in the technology – both FreeNAS™ and TrueNAS™ – which we represent. This is also not to put QNAP® in a negative light because they have resolved their security vulnerabilities of their OS.
We love the ClamAV® plug-in that runs in the FreeBSD jails. The popular anti-virus is free and flexible, and has both signature-based and heuristic analytics (via its LibClamAV library) and can be configured to perform scans and quarantines for potential ransomware threats. The separation of the ClamAV in a “virtualized container” basically separates the security suite that works well with FreeNAS™ and TrueNAS™.
Another security feature we rarely talk about is the ZFS file system end-to-end checksum at both the file system level, the RAID level and even at the block level. This means that the data cannot be modified by the ransomware without changing the checksum. Once the data modified by the ransomware, the data is considered corrupted and thus cannot infect the storage OS in FreeNAS™ and TrueNAS™.
The ransomware threat is getting more acute and there is no 100% secure system out there. What I have put up in this blog is really to get everyone using NAS to think about security and cyber resiliency in a more serious manner. The warfare on these attacks is going escalate and ransomware is heading to the cloud and into applications such as databases. Prevention is better than cure.
It is time we are diligent in protecting our NAS and the network NAS is exposed to. It is time not to assume but to seriously think about cyber resilience. You will sleep better at night knowing your gates are locked.
Pingback: Random Short Take #28 | PenguinPunk.net
Thanks for sharing that. But there is something I do not understand: if the hacker discovered the SSH port, why does he try a lot of differents?
I have approximatively the same logs since few days, althought my SSH port is redirected…