NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNas RN2100 hacked
So it appears that my credentials were exposed after a recent data breach from Netgear (thanks guys) and I received an email a few months back saying all my data and been stolen and I wanted to get i...
Thx for the screenshots. My replies so far assumed you had an RN2100 (as you said in your title). But you actually have an RN214, which is a completely different (and much newer) ReadyNAS platform.
I apologise profusely, I think I was looking at my receipt to confirm the model number of the NAS and it says 2100 funnily enough, who would've thought it was an actual product as well.
The RN214 could have been connected with ReadyCloud, as it is an OS-6 platform. That would have stopped last summer when Netgear took down the service.
- Do you recall when you received that email?
- Also, was your NAS originally named "Crypto", and did it have a share called "coin"? (I'm assuming not!)
Are you asking about the 'threat email' to pay crypto? - It arrived sometime late last year and I remember opening it because it actually named my NAS device, I assumed they got the information due to a data breach and never checked my NAS because ... frankly it only had movies and TV shows and also I was swamped at the time. Never have I named it crypto, the hacker has clearly renamed them those names.
As far as port forwarding goes, you'd look for that in your router settings. Any port forwarding rules should be remted. While there,
- you should check to see if the uPNP service is enabled. If it is, then you should turn that off. It is a security risk, as it does allow any device on your home network to open up ports in your router's firewall.
- make sure the router firmware is up to date.
- If remote administration is enabled on your router, then I suggest disabling that.
- Also change the router's admin password.
I wasn't sure if I could see any port forwarding rules but I disabled a few things, I also disabled uPNP service, apparently my firmware is up to date and I also changed the router admin password. I also deleted a Virtual Server, hope I was meant to do that. I already have McAfee Virus protection subscription on my main laptop at home.
Also, if you are using Microsoft accounts on your PCs (connected with Microsoft OneDrive), then you should also change the Microsoft passwords.
Thanks, I already change my password annually, so time has come to change it again, so I will be doing so in due course.
In general, the NAS settings are all on the disks. So a factory default should bring the NAS back to its out-of-the-box state. So you'd need to set up the NAS from scratch. The ReadyNAS service (like all cloud services) would be disabled Since the service is down, you would not be able to join ReadyCloud (and shouldn't attempt it). Obviously set up different credentials.
Thank you, I guess I will dig up how to do a factory reset, I am hoping its just a matter of pressing a physical button on the back of the NAS.
Risks here:
- Since you don't really know how the NAS was compromised, the same security vulnerability might remain (and might not be on your NAS at all).
- There is a very small chance that the hacker might have installed a root kit on the disks (which can be very difficult to remove).
Do you think its possible that a hacker may have accessed my NAS through a username and password they found and attempted to access ReadyCloud? Or could it point to actually gaining access via my router?
Could wiping the disks also remove the root kit on the disks? According to the data being mentioned via ReadyCloud interface, I have a completely empty disk.
apopcontest wrote:
I also deleted a Virtual Server, hope I was meant to do that.
The Virtual Server is another name for port forwarding services, so it might have been the way the hacker accessed the NAS. Do you recall if that pointed to the NAS? Do you recall creating/configuring that server?
apopcontest wrote:Do you think its possible that a hacker may have accessed my NAS through a username and password they found and attempted to access ReadyCloud?
It is possible though it's not clear how your ReadyCloud credentials would have been leaked. Mine weren't (I didn't receive any breach emails from Netgear), and if there was a breach we'd have seen a lot of posts here about it (as many other ReadyCloud users would have been hacked). Unfortunately you don't know the timing, so we can't tell if the ReadyCloud service was taken down before the files were deleted.
The virtual server you deleted is another possibility, and IMO more likely. But if you didn't set up that server, then the hacker must have found a way to do that remotely.
Nothing against McAfee, but I still do recommend downloading MalwareBytes and doing a scan of the PC with it. You can of course remove it later. None of these scanning tools catch everything, and when your network security has been breached it is a good practice to scan with more than one. You do need to be careful on which ones you use, because some tools you find when googling are actually scams. But MalwareBytes is reputable.
apopcontest wrote:
Could wiping the disks also remove the root kit on the disks? According to the data being mentioned via ReadyCloud interface, I have a completely empty disk.
I don't think there is likely to be a root kit.
That said, they can be hard to remove. To be clear, you do not have a "completely empty disk". Your disks are formatted and there is OS partition and a swap partition used by the NAS on each of them. Plus disks with root kits appear to be empty but are not. If you can connect the disks one at a time to a Windows PC, you can scan them for rootkits. AVAST One is a free tool you can use for this.
But I think you'd be ok if you just do the factory default from the web admin interface. Do this from System->Settings->Update
This will bring the NAS back to an out-of-the-box state - reformating the disks, and reinstalling the NAS software on them. You'd need to set up the NAS from scratch (recreating shares, etc). All accounts other than admin would be removed, including the ReadyCloud user account. The ReadyCloud service will also be disabled. Don't try to re-enable it - the service is taken down.
Use the normal admin account to set up the NAS (browsing to https://nas-ip-address/admin). The nas-ip-address is a placeholder, you'd need to use your real NAS IP address. You can find that in your router's attached device list. It can also be found on the NAS front panel. (Press the power button once if it is blank). The username is admin. The default password is password which of course should be changed to a strong password during setup.
I suggest downloading the hardware and software manual for your NAS
- https://www.downloads.netgear.com/files/GDC/READYNAS-100/ReadyNAS_%20OS6_Desktop_HM_EN.pdf
- https://www.downloads.netgear.com/files/GDC/READYNAS-100/READYNAS_OS_6_SM_EN.pdf
After setup, you should manually install 6.10.9 software (using the "install firmware" control on the screenshot above). 6.10.9 has some security updates.
You won't be able to re-install Plex on the NAS unless you make some other changes. You can install it on your PC, but keep the media on the NAS. That is my own approach. Either way, we can help with that after the NAS is rebuilt.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
