NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNas RN2100 hacked
So it appears that my credentials were exposed after a recent data breach from Netgear (thanks guys) and I received an email a few months back saying all my data and been stolen and I wanted to get i...
apopcontest wrote:
So it appears that my credentials were exposed after a recent data breach from Netgear (thanks guys)
I'm puzzled here. Can you confirm that the NAS is an RN2100 running 4.1.x firmware? Did you get an email from Netgear telling you there was a breach? Or are you just speculating?
The Netgear cloud services that can reach your NAS over the internet (photos and readyremote) were taken down long ago. There is no Netgear cloud account or server that is linked to your NAS.
How were the hackers able to reach your NAS? Were you forwarding ports to it?
Hello,
Currently away from where my NAS is located for a few days, I can confirm that my NAS is RN2100 running 4.1.x firmware and I do recall reading an email from Netgear informing me of a data breach, however I have had a few to be honest and I never really paid attention to them too much.
I was under the impression that ReadyNAS Cloud was only closed late last year (which I was unaware of) and I have ReadyCloud Client installed on my computer which I cannot access which I understand.
I am not sure how the hackers were able to access my NAS, I can access it using what I created at the time for my username and password which was email and an old password which I never changed, I believe this password is probably available somewhere online for people to make attempts to login using my credentials,Would this be how they were able to access my NAS?
Any recommendations on how to move forward? Do a hard reset? My concern would be that if I placed data on my NAS, a hacker would be able to access my NAS using my old credentials.
apopcontest wrote:
I was under the impression that ReadyNAS Cloud was only closed late last year (which I was unaware of) and I have ReadyCloud Client installed on my computer which I cannot access which I understand.
Netgear branding has often re-used old names, which unfortunately creates a lot of confusion. The ReadyCloud you had installed was shut down in September 2016, so your NAS hasn't been connected to it for 7 years.
The service that was shut down in July was only for ReadyNAS running 6.x firmware. So not compatible with your NAS.
apopcontest wrote:
I am not sure how the hackers were able to access my NAS, I can access it using what I created at the time for my username and password which was email and an old password which I never changed
Let's start from the beginning. FWIW, I don't think your NAS ever supported email format usernames, so that part of your email is a bit confusing.
What apps did you have installed on your NAS? Bittorrent perhaps?
Did you ever forward any ports in your router to the NAS?
You received an email from someone claiming to have encrypted your files. Did they specifically say they had hacked your ReadyNAS? Or just that they had encrypted files? Did you click on any links or open any attachments in that email? It's possible that the email was fake.
You are away from home, and cannot access your NAS. Have you tried accessing it while you were home? When did you lose access?
If you have access, are you able to see your shares? If so, what files are you seeing in the shares?
When you try to access frontview now (when home) are you getting an SSL version or Cipher Mismatch error? Or are you getting something else.
apopcontest wrote:
I believe this password is probably available somewhere online for people to make attempts to login using my credentials,Would this be how they were able to access my NAS?
Not unless you had forwarded ports to the NAS to enable remote connections. Or alternatively if they compromised a PC you use to connect to the internet.
apopcontest wrote:
Any recommendations on how to move forward? Do a hard reset? My concern would be that if I placed data on my NAS, a hacker would be able to access my NAS using my old credentials.
FWIW, I am not (yet) seeing strong evidence that the NAS was in fact hacked. There were changes in Chrome, Edge, Firefox, and Safari last year that do prevent access to Frontview. There are some workarounds, but AFAICT you don't know about them.
It is also possible that disk failures (or a NAS failure) is the actual cause of your problem. So there are other explanations to lack of access that haven't really been ruled out.
Do you only have an access problem reaching your files? Or do you actually see encrypted files on the NAS when you access it.
As far as old credentials go, if you do a factory default then those credentials will no longer work with the NAS. But of course if you also use them for other devices (or accounts) you should start by changing them.
Plus access to your NAS over the internet requires more than the old credentials. Normally your router won't allow a hacker to reach the NAS. So we'd also need to understand how the alleged hacker managed to get through your router.
Sorry I don't know how to quote, so I will try and answer accordingly...
What apps did you have installed on your NAS? Bittorrent perhaps?
Did you ever forward any ports in your router to the NAS?
Not Bittorrent, I only had Plex Server installed on NAS, could they have gained access with a compromised username and password on Plex?
You received an email from someone claiming to have encrypted your files. Did they specifically say they had hacked your ReadyNAS? Or just that they had encrypted files? Did you click on any links or open any attachments in that email? It's possible that the email was fake.
Please see this screenshot, the same message was saved on my NAS which was emailed, which I initially ignored as I was busy at the time. I have blocked out other information for the safety of others.
Not unless you had forwarded ports to the NAS to enable remote connections. Or alternatively if they compromised a PC you use to connect to the internet.
Is there a way to find this?
Here are some other screenshots for further assistance.
Moving forward, should I remove the Plex App? Hard to tell if my computer was compromised I do have paid antivirus protection on my laptop. I have been exposed to a few data breaches already but nothing too major (so far), I thought perhaps my older credentials have been sitting somewhere on the internet and someone had a crack at accessing my NAS through ReadyCloud. The only way I can access the NAS currently is by clicking on the explorer button and selecting 'Network' then when accessing the drive, I am asked to login, which I used my ReadyCloud email address and password, this is what gives me the understanding that a hacker was able to access my files using these credentials.
How do you suggest I proceed moving forward to secure the device?
Thx for the screenshots. My replies so far assumed you had an RN2100 (as you said in your title). But you actually have an RN214, which is a completely different (and much newer) ReadyNAS platform.
RN2100:
RN214:
The RN214 could have been connected with ReadyCloud, as it is an OS-6 platform. That would have stopped last summer when Netgear took down the service.
- Do you recall when you received that email?
- Also, was your NAS originally named "Crypto", and did it have a share called "coin"? (I'm assuming not!)
apopcontest wrote:
Not unless you had forwarded ports to the NAS to enable remote connections. Or alternatively if they compromised a PC you use to connect to the internet.
Is there a way to find this?
As far as port forwarding goes, you'd look for that in your router settings. Any port forwarding rules should be remted. While there,
- you should check to see if the uPNP service is enabled. If it is, then you should turn that off. It is a security risk, as it does allow any device on your home network to open up ports in your router's firewall.
- make sure the router firmware is up to date.
- If remote administration is enabled on your router, then I suggest disabling that.
- Also change the router's admin password.
What router model (and manufacturer) are you using?
You might also want to run malware scans on all your PCs. For instance, using the free download of malwarebytes.
Given the overall situation, it might be worth getting a subscription for a while, so you'd have real-time protection on your PCs.
Also, if you are using Microsoft accounts on your PCs (connected with Microsoft OneDrive), then you should also change the Microsoft passwords.
apopcontest wrote:
How do you suggest I proceed moving forward to secure the device?
It's not just securing your NAS. You need to make sure your home network (and all devices on it) are secured.
In general, the NAS settings are all on the disks. So a factory default should bring the NAS back to its out-of-the-box state. So you'd need to set up the NAS from scratch. The ReadyNAS service (like all cloud services) would be disabled Since the service is down, you would not be able to join ReadyCloud (and shouldn't attempt it). Obviously set up different credentials.
After the initial factory default, you should update the firmware to 6.10.9 (which needs to be done manually)
Reinstalling plex is possible, but due to the deprecation of Debian 8 (the linux OS your NAS uses) earlier this year, you'd need to make some changes. This (rather long) discussion thread includes the info on what is needed.
Post 37 has the files you need to modify/add. Post 1 tells you where you need to put them.
Personally I run Plex on an always-on Windows PC, which has the media share(s) mapped to drive letters.
Risks here:
- Since you don't really know how the NAS was compromised, the same security vulnerability might remain (and might not be on your NAS at all).
- There is a very small chance that the hacker might have installed a root kit on the disks (which can be very difficult to remove).
On (2) you could just install new disks, and get rid of the old ones.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
