NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Ransomware - how to prevent on RN528X and RN424 (and RN212)
Today I saw this on reddit:
https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/
Synology is purportedly the leader in NAS software security (at least according to NAS Compares, and other similar NAS reviewers). To see this user get nailed today gave me pause, with my now obsolete ReadyNAS boxes (RN528X, RN424, RN212).
What, if anything, can I do to increase security on these boxes? I'm quite sure I'm doing plenty of things wrong, here's the basic setup:
- 3 NAS boxes are ETH-connected to my home network (10GbE and 1GbE)
- Home network is an Orbi 960 mesh system (RBK963), which sits in front of a 1Gbps Spectrum cable modem
- On the RN528X, under Accounts, the "Users" and "Groups" have two members - Admin, and istatserver (an app I loaded but since disabled). There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??
- Permissions aren't set any specific way, as I have zero understanding in this area as well. I've tried messing with permissions in Windows over the years, never works the way it seemingly should and always gets me into trouble.
I don't see any provision for 2FA or other basic security measures with these boxes. I don't want to remove the devices from the home network, that defeats the purpose of having easy access to them.
Any measures I can take to improve security, short of disconnecting them from the network entirely?
I don't access these boxes remotely (any longer), since ReadyCloud bit the dust. I would like to have a way to do this going forward though... some VPN solution I guess. Any advice here would also be much appreciated.
jimk1963 wrote:
Today I saw this on reddit:
https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/
This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP.
So in general you do need to be cautious on how you set up remote access. Personally I use the openVPN service built into my Orbi router.
The other major vector for ransomware is through your home PCs. Since they have access to the NAS shares, ransomware on the PCs can encrypt (or destroy) files on the NAS also. If the shares can be accessed without credentials (passwords) or if passwords are saved on the PCs, then ransomware can reach the NAS very easily.
Most of these attacks include a social engineering component - for example, phishing emails that include malicious website links or attachments with embedded malware.
The strongest protection against this is to have a copy of your files that cannot be reached by the ransomware attack. I have a backup NAS on a power schedule. It can't be reached when it is powered down. If ransomware were to hit, I'd have some time to disconnect the NAS from my network before the next backup is scheduled.
Less expensive is to use USB drives for backup - connecting them when you make the backups, and disconnected them immediately afterwards.
Cloud backup is another option - several cloud backup services do have some protection against ransomware attacks, and even if that fails you should be able to roll back to file versions saved before the attack hit.
As an aside, there are other threats with similar impact - fire, flood, theft, etc. Protection from them requires some off-site storage.
jimk1963 wrote:
There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??
If someone gets the admin password to your NAS, then they can log into the admin web ui. From there they can do a lot of bad stuff.
- enable ssh, and install whatever software they like on the NAS
- silently copy all your data
- destroy your volume
- ...
Also, you can also do more damage accidently from windows if you are using admin credentials than you can do if you are using a more restricted account.
14 Replies
jimk1963 wrote:
Today I saw this on reddit:
https://www.reddit.com/r/synology/comments/18jofdu/nas_hit_by_ransomware_ds720/
This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP.
So in general you do need to be cautious on how you set up remote access. Personally I use the openVPN service built into my Orbi router.
The other major vector for ransomware is through your home PCs. Since they have access to the NAS shares, ransomware on the PCs can encrypt (or destroy) files on the NAS also. If the shares can be accessed without credentials (passwords) or if passwords are saved on the PCs, then ransomware can reach the NAS very easily.
Most of these attacks include a social engineering component - for example, phishing emails that include malicious website links or attachments with embedded malware.
The strongest protection against this is to have a copy of your files that cannot be reached by the ransomware attack. I have a backup NAS on a power schedule. It can't be reached when it is powered down. If ransomware were to hit, I'd have some time to disconnect the NAS from my network before the next backup is scheduled.
Less expensive is to use USB drives for backup - connecting them when you make the backups, and disconnected them immediately afterwards.
Cloud backup is another option - several cloud backup services do have some protection against ransomware attacks, and even if that fails you should be able to roll back to file versions saved before the attack hit.
As an aside, there are other threats with similar impact - fire, flood, theft, etc. Protection from them requires some off-site storage.
jimk1963 wrote:
There are no users underneath. I'm guessing this is maybe a problem, read somewhere it's a bad idea to use Admin as the primary access but don't understand why. Security issue??
If someone gets the admin password to your NAS, then they can log into the admin web ui. From there they can do a lot of bad stuff.
- enable ssh, and install whatever software they like on the NAS
- silently copy all your data
- destroy your volume
- ...
Also, you can also do more damage accidently from windows if you are using admin credentials than you can do if you are using a more restricted account.
StephenB wrote:This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP. .
Nope. Start reading and understanding about EternalBlue and Wanna Cry. The majority of RandomWare attacks cam in by unaware and careless users, blindly opening files of whatever content containing malware where it can cause most effect: Where users believe it is "secure", on any kind of shared folders.
schumaku wrote:
StephenB wrote:This has happened before (more broadly) to Synology and I think QNAP. The vector in the past was the cloud services set up by Synology and QNAP. .
Nope.
I pointed out that the main vector was through the local PCs (and specifically mentioned phishing).
But there are quite a few vulnerabilities that have been uncovered over the years with QNAP cloud software, including their QNAP photo station fairly recently.
The Synology vulnerability I was thinking about was some years ago ("SynoLocker"). The vulnerability was in their DSM software, but clearly required some form of remote access to exploit. Reading through it again, it's not clear if Synology's cloud service was part of the exploit or not.
While I think both vendors are well-intentioned, I still think that using vendor-supplied "free" cloud infrastructure for remote access and file sharing is a significant risk.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
