Orbi WiFi 7 RBE973
Reply

Re: READYCLOUD Appears to have been hacked

WildfireTech
Guide

READYCLOUD Appears to have been hacked

I got my weekly security bulletin from my NetGear R6400 this morning and it is full of pages and pages of entries like this:

 

[LAN access from remote] from XXX.XXX.XXX.XXX:YYYYY to XXX.XXX.XXX.XXX:80, <DATE TIMESTAMP>

 

(IP Addresses and Dates / Times redacted).  In reading in the forums this means that there is an actual external accessor on my network and the target for EVERY ATTEMPT was the ReadyNAS.  The only reason I can think of that I would start getting NAS remote access successes from Japan, Germany, Brazil, and Russia is that someone hacked into ReadyCloud and compromised my data.

 

Since there is no direct support for issues like this, I'm positng this to the forum.

 

Do any of y'all have recommendations for me other than "terminate ReadyCloud use and go get another product"?

Model: RN31200|ReadyNAS 300 Series 2- Bay (Diskless)
Message 1 of 10

Accepted Solutions
Marc_V
NETGEAR Employee Retired

Re: READYCLOUD Appears to have been hacked

Hi @WildfireTech

 

Can you please send in the logs and report from your router also if you have screenshots that would be also helpful. Sending logs

 

Regards

 

 

View solution in original post

Message 2 of 10

All Replies
Marc_V
NETGEAR Employee Retired

Re: READYCLOUD Appears to have been hacked

Hi @WildfireTech

 

Can you please send in the logs and report from your router also if you have screenshots that would be also helpful. Sending logs

 

Regards

 

 

Message 2 of 10
schumaku
Guru

Re: READYCLOUD Appears to have been hacked

Completely unrelated to ReadyCloud.

 

Your NAS port 80 is exposed to the wild Internet, being by UPnP PMP or manual port forwarding. Every attempted access to the ReadyNAS Web interface is allowed, and forwarded by your router. Whatever traffic is there - being attempted username/password dictionary access tries, or evaluating for potential security issues.

 

Editing potentially attcker IPs is fine, changing your most likely RFC 1918 private IP addresses used on the LAN is not required.

Message 3 of 10
WildfireTech
Guide

Re: READYCLOUD Appears to have been hacked

 Marc_V, Logs sent per directions as linked.  Please let me know if you find anything.

Message 4 of 10
WildfireTech
Guide

Re: READYCLOUD Appears to have been hacked

I have no port forwarding or port triggering configured.  UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).

 

Thanks

Message 5 of 10
StephenB
Guru

Re: READYCLOUD Appears to have been hacked


@WildfireTech wrote:

I have no port forwarding or port triggering configured.  UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).

 


Port 80 is normal HTTP - it isn't the port that ReadyCloud or ReadyRemote use.

 

Is the second IP address that you redacted the IP address of the router?  Or is it the IP address of the ReadyNAS?

 

Note that private IP addresses aren't routable, so it is safe to post addresses in the ranges 192.168.0.0.-192.168.255.255, 10.0.0.0-10.255.255.255 and 172.16.0.0 – 172.31.255.255 ( https://en.wikipedia.org/wiki/Private_network ).

Message 6 of 10
WildfireTech
Guide

Re: READYCLOUD Appears to have been hacked

The reason I beleive that this has to do with ReadyCloud is that I:

1) Do not have Port Forwarding or Port Triggering of any form configured

2) Have UPnP configured on my router or the NAS

3) Have no DDNS entities set up that would direct users to my ISP address looking for anything

 

Therefore, the only reason I can come up with as to WHY anyone would know anythig about "me" on the internet is that they got into ReadyCloud which had the destination of the NAS.

 

I have de-coupled the NAS from ReadyCloud and changed the IP address on my private network.  

Message 7 of 10
schumaku
Guru

Re: READYCLOUD Appears to have been hacked

That's unrelated to you. ReadyCloud does unlikely communicate by whatever protocol by establishing (TCP is a guess only, these routers s**k) session on port 80 from the Internet to the NAS.

The ReadyCloud network connection is established also kind of a specialised VPN from the ReadyNAS to the ReadyCloud cloud infrastructure. In this VPN network (still using an otherwise assigned IPv4 address space) does the ReadyCloud communication take place.

The question is how it was possible to establish such a communication - all one does need is an IP address (whatever DDNS or DNS entries are not relevant, communication happens always on numeric IP addresses) - from the wild Internet to your NAS on the LAN. That's why I've raised the flag claiming it's unlikely ReadyCloud.
Message 8 of 10
StephenB
Guru

Re: READYCLOUD Appears to have been hacked

You should certainly change the admin password. Did you have a strong password on your NAS admin account before?  

 

Also look at the http configuration on the NAS (system->settings->services) and see if "http admin" is checked.

 

And check with your router manufacturer (or ISP if you have an ISP-supplied router) and make sure that if your router firmware is up to date.  Check your router to make sure that remote administration is disabled, and change the router admin password.  There's no need to change the wifi network name or passphrase, though it does no harm.

 

If your router gives you traffic reports of internet usage, keep an eye on those reports (looking for unusual amount of internet traffic). If you do see such traffic (or experience very slow internet access from another device), then disconnect the ReadyNAS ethernet cable, and see if the issues disappear.   Of course check the router logs too.

 

Netgear should be able to see traces in the logs (particularly packages installed on the NAS) if you were hacked.  

 


@WildfireTech wrote:

 

2) Have UPnP configured on my router or the NAS

  


Do you mean "do not have"? 

 


@WildfireTech wrote:

 

Therefore, the only reason I can come up ...

What I take from this is that you have no idea if there was a successful hack or what the attack vector actually was.  There is evidence of a successful connection via port 80, but no evidence either way that a hacker was able to log into the NAS web ui (or what mechanism caused port 80 traffic to be forwarded by your router to the NAS). 

 

You're just guessing/speculating that the attack vector was ReadyCloud.  I'm not suggesting that's impossible (though as I said, ReadyCloud doesn't use port 80).  The problem with locking on to an unconfirmed theory is that you stop looking for more possibilities (malware somehow getting on a PC, an attack through an app on a mobile device that is connected both to a cellular network and your network, your router being hacked instead of the NAS ...).  FWIW, I agree with @schumaku that your theory isn't likely to be correct.

 

If the NAS has been seriously hacked, then changing its private IP address will make absolutely no difference.  There will be software on the NAS that connects outbound through your firewall, and that normally won't show up at all in your router logs.  Even if you are right about the attack vector being ReadyCloud, leaving ReadyCloud now isn't an effective response for the same reason.  Once the hacker is in, s/he will install tools that give them ongoing access.

 

 

 

 

Message 9 of 10
WildfireTech
Guide

Re: READYCLOUD Appears to have been hacked

Thanks to everyone who has helped or chimed in.  I'm dropping this issue for now as the activity seems to have ceased now that the NAS is no longer connected to ReadyCloud and I have changed the IP address.  I'm also reaching out to my ISP to see if there is any maintenance needed on the router; please wish me luck in dealing with them.

 

I'll keep monitoring it for a while to see if anything weird starts happening.

 

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 5172 views
  • 2 kudos
  • 4 in conversation
Announcements