Tout roule pour les membres du gang de ransomware Akira puisqu'ils seraient parvenus à voler la jolie somme de 42 millions de dollars grâce à la compromission de l'infrastructure de plus de 250 organisations. Il s'agit de chiffres publiés par plusieurs agences, dont le FBI.
Le FBI, la CISA, le Centre européen de lutte contre la cybercriminalité (European Cybercrime Centre) et le National Cyber Security Centre (NCSC) du Pays-Bas ont travaillé sur l'écriture d'un rapport complet au sujet de la menace Akira. Ce bulletin d'alerte disponible sur le site de la CISA montre la progression fulgurante de ce gang de ransomware apparu pour la première fois en mars 2023.
Le gang de ransomware a fait des victimes partout dans le monde, même si la majorité des organisations ciblées sont situées en Amérique du Nord, en Europe et en Australie. Au début, Akira s'en prenait principalement aux systèmes Windows, mais assez rapidement, les cybercriminels ont mis au point une variante pour Linux afin de chiffrer les machines virtuelles sur les serveurs VMware ESXi.
Ainsi, au 1er janvier 2024, le groupe de ransomwares avait touché plus de 250 organisations et volé environ 42 millions de dollars grâce aux victimes qui ont pris la décision de payer la rançon demandée.
Le mode opératoire du gang de ransomware Akira
Le rapport publié sur le site de la CISA fournit des informations intéressantes sur les techniques et méthodes employées par les cybercriminels d'Akira.
L'accès initial est notamment évoqué, et d'après le FBI, ils ciblent principalement les accès VPN, les accès RDP, le spear phishing et l'utilisation de comptes utilisateurs valides qu'ils ont en leur possession. Deux failles de sécurité, liées aux équipements Cisco, sont citées : CVE-2020-3259 et CVE-2023-20269.
Pour les différentes phases de l'attaque, notamment pour la persistance, la découverte et l'exfiltration des données, le gang de ransomware Akira utilisent différents outils dont certains que vous connaissez et utilisez probablement : Mimikatz, LaZagne, SoftPerfect et Advanced IP Scanner. À cela s'ajoutent des outils accessibles facilement et peut-être même déjà présents sur certaines machines : AnyDesk, MobaXterm, RustDesk, Ngrok, RClone, les protocoles FTP et SFTP ou encore le service de stockage de fichiers Mega.
Les conseils pour se protéger du ransomware Akira
Ce rapport contient également un ensemble de conseils et recommandations pour se protéger de cette menace.
Voici la liste de ces recommandations :
Mise en œuvre d'un plan de reprise d'activité.
Effectuer des sauvegardes déconnectées (hors ligne) des données.
Effectuer des sauvegardes chiffrées et immuables.
Exiger que tous les comptes soient protégés par des mots de passe conformes aux normes du NIST, et qui doivent être suffisamment long. "Envisagez de ne pas exiger de changements de mot de passe récurrents, car cela peut affaiblir la sécurité", peut-on lire.
Exiger une authentification multifactorielle pour tous les services dans la mesure du possible.
Maintenir tous les systèmes d'exploitation, les logiciels et les firmwares à jour.
Segmenter les réseaux pour empêcher la propagation des ransomwares.
Identifier, détecter et étudier les activités anormales et les mouvements potentiels du ransomware à l'aide d'un outil de surveillance du réseau.
Filtrer le trafic réseau en empêchant des sources inconnues ou non fiables d'accéder à des services distants sur des systèmes internes.
Installer, mettre à jour régulièrement et activer la détection en temps réel des logiciels antivirus sur tous les hôtes.
Examiner les contrôleurs de domaine, les serveurs, les postes de travail et les annuaires actifs pour détecter les nouveaux comptes et/ou les comptes non reconnus.
Auditer les comptes d'utilisateurs disposant de privilèges élevés et configurer les contrôles d'accès selon le principe du moindre privilège.
Désactiver les ports inutilisés.
Ajouter un avertissement aux e-mails dont l'expéditeur est externe à votre organisation.
Désactiver les hyperliens dans les e-mails reçus.
Mettre en place une politique Time-based Access (Zero Trust) basée sur la durée pour les comptes avec des privilèges élevés.
Désactiver les activités et les autorisations relatives à la ligne de commande et aux scripts.
Are you a NAS owner? Perhaps you are considering buying a NAS based on a recommendation from a friend, work colleague, IT professional or even myself (Robbie) on YouTube. The appeal of owning your own server, cutting the connection with your subscription cloud providers such as Dropbox or Google drive, having all your data backed up in-house and that feeling of pure control/ownership is hard to underestimate. However, over the last 4-5 years or more, it has been hard to ignore that the brand has suffered a series of security issues surrounding the subject of ransomware – a process whereby your data is encrypted with a unique, near uncrackable cypher and a document (typically a .txt) is left for you with instructions for you to make a payment in bitcoin to a predesignated account in order for instructions and the key to recovery your data. Ransomware in of itself is not new and originally dates back to 1996 under the name cryptoviral extortion (you didn’t come here for a history lesson, but the wiki covers a lot of those early developments into the concept) and is frighteningly easy to conduct IF an intruder has access to your system and/or the means to inject the command to encrypt the data inside of any system. Words like virus, hack and malware have been thrown around the internet for the last 20-30 years, however, Malware feels significantly more organized and comparatively recent, as well as being something that has been enacted on all storage platforms, such as Google Drive (thanks to sync tools), Apple was directly hit in 2021 and over 300 BIG name companies that you WILL of heard of in the last 18 months that included:
Acer, FujiFilm, Northern UK Rail, Exabyte Web Hosting, Foxtons, The Salvation Army, Shutterfly Photography, Bose Sound, The NRA, Kronos CRM systems, Gigabyte Motherboards, Volvo, SPAR, Olympus Cameras, GUESS Fashion, ADATA, CD Projekt, Travelex, SK Hynix, Capcom, Crytek, Kmart
Those are just a brief scan of confirmed news reports and only a small fraction of the companies, brands and institutions that have been successfully targetted. Tech companies, media companies, charities and countless retail outlets. Why am I going through all this? Well, 1, these companies should have exceptionally sophisticated storage and remote access protocols in place, 2, cannot use the excuse of being companies with practically no formal association with high-level storage and 3, are companies with a responsibility to protect significantly custom databases that eventually fell foul (partially or fully) to vulnerabilities. Personally, I DO think, when NAS brands have blame on their side (eg Asustor/Terramaster with Deadbolt, QNAP with QLocker, Synology with SynoLocker, etc) that they need to acknowledge publically, make significant errors in these attack proactive management AND have handled a number of the follow-up actions to these incidents very poorly (both in terms of communication and execution) – They need to put their hands up and say “We F’d Up” and take responsibility, up to a point! However, I do also think that the end-user base is also not completely innocent and alongside ascertaining whether any particular NAS brand is safe to use in 2024, we should also think about how we store data, the limits of our own due diligence and our expectations from server devices.
Important note – If you are currently unaware of the severity of ransomware attacks, malware attacks and authentication bypass vulnerabilities, you need to subscribe to this page HERE on NASCompares. Also, if yo are in any doubt about NAS security and owning a system, REMEMBER, the very LEAST you can do is:
Set your system software updates to automatic (either FULL or just security updates)
Disable the ‘admin’ account (it should be disabled by default, but make sure!)
Disable SSH / Terminal services if you are not using them (again, these should be ‘off’ by default, but check)
Create exclusre login credentials to services/clients (eg Plex should/can have a user:plex + password, and then restrict that account to only the folders and services that it needs, then restrict or ‘ready only’ the rest
Have at least one backup in place. Remember that a backup is a complete copy of all your data in a different system/location!!!
Change random ports in the system for accessing the NAS (you tend to find NAS systems use 8000, 8001, 8080, 5000, etc. Change them to something random)
Enable 2 Step Authentication / 2FA / OTP
Do not F&*k around with your router or open ports unless you know what you are doing!
Additionally, if you have been affected by ransomware on your storage solution (QNAP, Synology, UnRAID or whatever brand), this post is not intended to play ‘blame games’ or detract from the impact (personally or professionally) that it has caused. I have experienced ransomware attacks, malware attacks through my browser, virus attacks on my OS and seen my fair share of attacks fail and (annoying) succeed. Please do not take this article in the spirit of ‘get stuffed, It’s your fault!”, but as a means of dissecting the current state of play with NAS devices and the realistic expectations/responsibilities of all involved.
PSA – GET YOUR BACKUPS IN ORDER!
Before you even go one paragraph further, I have a simple question for you – do you have a backup in place? If yes, then carry on to the next part. If not, and I cannot stress this enough, GET ONE NOW. The time you are spending reading this you could be susceptible to data loss in about 10 different ways without even factoring in ransomware (Power failure leading to hard drive corruption, Malware from a slightly iffy google search this morning, cloud storage provider going bust, OS failure on your device, etc). In this day and age owning a sufficient data backup is as sensible as buying a raincoat or looking both ways when you cross the street – you don’t do it because you like rain or like looking at cars, you do it because they are peace of mind, they are a safety net, they are for caution in case of the worst. It is a bit tenuous, but owning one or multiple backups always make me think of this quote from Shawshank Redemption by Stephen King:
“There are really only two types of men in the world when it comes to bad trouble,” Andy said, cupping a match between his hands and lighting a cigarette. “Suppose there was a house full of rare paintings and sculptures and fine old antiques, Red? And suppose the guy who owned the house heard that there was a monster of a hurricane headed right at it. One of those two kinds of men just hopes for the best. The hurricane will change course, he says to himself. No right-thinking hurricane would ever dare wipe out all these Rembrandts, my two Degas horses, my Jackson Pollocks and my Paul Klees. Furthermore, God wouldn’t allow it. And if worst comes to worst, they’re insured. That’s one sort of man. The other sort just assumes that hurricane is going to tear right through the middle of his house. If the weather bureau says the hurricane just changed course, this guy assumes it’ll change back in order to put his house on ground zero again. This second type of guy knows there’s no harm in hoping for the best as long as you’re prepared for the worst.”
Get a Backup in place
More Ransomware Attacks on QNAP than Any other NAS Brand?
Probably the most compelling argument against the safety of NAS for many buyers is the simple fact that NAS brands increasingly seem to been in the news more for reasons of ransomware attacks. Indeed, even a quick browse of the last 24 months on the site ‘Bleeping Computer’ for stories on QNAP shows you that there have been multiple vulnerabilities found in their software/access that have allowed encryption commands to be injected into the QNAP NAS system to execute the ransomware attacks. How can this one brand be such a soft target? What are they doing wrong? Well as it stands, reading through news posts before/after previous ransomware attacks, as well as the dissection of events on the official forums in the midst of the an attack, the consistent threads are:
QNAP is rolling out software and services with weak default settings and acceptable minimums to allow inexperienced users to open up external access WITHOUT the users understanding the risks
QNAP has weaknesses in it’s software that the brand arguably takes a more reactive, than proactive stance on repairing
QNAP’s recommendations on actions to user post-ransomware attack both publically and in 1-to-1 dialogue with users has been felt unsatisfactory
Your QNAP NAS is better off currently used offline/network only
As general as all that might sound (without letting personal opinions colour it) those are largely the four core issues for many that have voiced their feelings on this in the forums. Moving away from the hefty subject of data loss slightly (we will be returning to that in a bit, but that is a question of Backups and routines to discuss), there is the fact that there have been vulnerabilities found in QNAP 1st party applications and services – but then again, so have there been in different NAS brand’s own services too. A click look at their respective Security Advisory pages will tell you this. This doesn’t exonerate QNAP in any way here, as part of the ‘social agreement’ between the end-user and QNAP is that as long as we ‘follow due diligence in protecting the data inside the NAS as directed AND maintain our own network/router setup, the QNAP NAS should protect our data inside the NAS to the best of it’s ability. This is where it all becomes problematic. As QNAP have never successfully balanced the line between giving the user freedom, control and customization WHILST still preventing the user from doing anything self-harming without a full idea of the consequences. It’s a line that their biggest competitor Synology seems to toe better and this comparison only serves to re-enforce the feeling (and numbers) that QNAP are attacked more.
The Nature and Practice of Firmware Updates on ALL NAS Brand Devices – Prevention & Cures
“Remind me Tomorrow” click
Though sometimes NOT the means with which a vulnerability in the NAS software/services is achieved, it is still a factor in some instances that updating to a later firmware would actually have closed a vulnerability. However, this is a remarkably broad statement and the truth is a great deal more nuanced. First, we have to understand that ALL software that has a remote access component via the internet will likely be investigated by cybercriminals for weaknesses. Not just NAS ones – ALL of them, from Microsoft office and Android mobile OS, to your LG TV and Amazon FireTV. Hell, I bet there are people who have investigated the ‘buy now’ option of WINRAR in effort to see if an opening exists to use it as a ransomware entry vector. What I am saying is that as soon as a commercially popular software with internet access exists, people are going to try and take it apart to find out its weaknesses for exploitation. If/When these weaknesses are found and actioned (or submitted to the brand for bounty programs – whereupon brands ask people to try and break their software, so they can make it better/safer/improved), the brand then issues a firmware update to the affected software/services to its user base, then around the merry-go-round we go again! This is not a process that happens daily – but it definitely happens weekly or monthly (depending on the frequency of the brand to instigate the changes that are raised to them). This is why is it so common for companies that are affected by ransomware in their software/services to immediately highlight the need for firmware updates. At that point, the attack vector and vulnerability is reverse engineered, patched and closed. Many of these vulnerabilities are small. Very, VERY small sometimes. Indeed, it is for this reason that all the reputable NAS brands have security advisory pages that list current weaknesses, vulnerabilities and issues on their platform that are being investigated (Synology HERE, Asustor HERE and yes, QNAP HERE) and in all my time in the world of network-attached storage, I do not think I have ever seen one of these pages have ‘100% resolved’, but when something is resolved the resolution is invariably rolled into an update. So what we can take from this is that although firmware updates do not completely remove the possibility of new vulnerabilities being found in the future, they do seemingly close the bulk of existing vulnerabilities that have been found by/volunteered to the brand.
So why do we not install the firmware updates automatically? This isn’t limited to NAS of course! From the Mac notification that have been nagging you at the top right of your screen, to the windows update at the bottom right and all those applications on your phone that are asking you to please install the latest updates to your software – we choose to ignore them til ‘later’! Worse still, there is the old ‘if it ain’t broke, don’t fix it’ mentality that will often result in many users only installing smaller updates, but flat out avoiding the BIG updates as they can ‘change where everything is’ or ‘I heard it breaks a bunch of stuff’. Businesses in particular with shared files in their thousands are always reluctant to run any process that can suspend that access temporarily or change how something works. So, there we have a fine melting pop of ingredients that has led (in some instances, but not all – as we will go further go into) to many users being hit by ransomware attacks via vulnerabilities that, although patches were available, were not actioned. How do we resolve this? Forced update that leaves the user’s own hesitance out of the equation? Limitations of the system’s remote connectivity unless the latest firmware update is installed (console gamers will be very familiar with that method of course)? Or a 50/50 split where minor updates are optional, but larger ones are mandatory? It’s a tough tight rope to walk. So, let’s see how QNAP walked/walks this tight rope and how they could have possibly done it ALOT better.
System Updates and Updates – Should a NAS Brand FORCE Firmware Updates to Users?
Forced? Optional? Access Penalties?
As mentioned, tighter control of firmware implementation would allow the brand to ensure that a NAS that has internet accessibility is updated to a high/current firmware revision. Alternatively, the brand could limit the systems external connectivity and disable all settings if the firmware on the system is not up to date – simply running a check with the NAS brand connected domain when trying to access these services and settings and declining if the latest update is not installed. Xbox and Playstation users are more than aware of this as a fixed rule to ensure that installed software is officially licenced and checked in advance. However, those are closed systems and many buyers have selected NAS over cloud services precisely because of the flexibility and customization it offers. However, when NAS brands have previously FORCED firmware updates remotely for services, it has NOT been received well:
Forced updates are something of a taboo subject too, with the recent rather heavy-handed move by QNAP back in 2020 in light of the Deadbolt ransomware attack to remote push the latest firmware update to all QNAP NAS systems that were internet-connected without any notice to the end-users (overriding any settings that disabled or prevented this). Now, clearly, QNAP did this as an extreme and something to prevent the vulnerability of the system software and/or configuration from being exploited further (that have still not been fully confirmed in its attack vectors, with some users who have ridiculously high-security settings still getting hit). In non-ransomware instances, I think QNAP issuing a message to their user base with a “In 5 day’s there will be an essential system update on XX day XX month at XX:XX time” message, with even a brief explanation of why would have been infinitely more preferable and would have been met with a much more positive stance (as well as it also making many users update sooner). However, clearly, the decision for a forced update was more of a last resort/hastily decided choice and that forms part of another reason that many users find the QNAP platform to sometimes bring services and software to market that could do with a little more time in the oven. Whatever way you look at it, QNAP was going to be damned, whatever they did. But did they put themselves in this position? What about the expectations of the end-user and due diligence? What SHOULD be the expected skillset of a NAS buyer to start with?
The Extent of the End User Responsibility, Skillsets and Expectations? What Are YOUR Responsibilities as a NAS Owner?
How much should a user be expected to know about networking?
The simplicity of NAS systems can often be oversold. It’s annoying and I am as guilty as most of this, but given the wide range of users who install a NAS system into their storage environments, the ease of setup and use is not shared with the ease of setup and understanding of network security in your home or office. On the one hand, NAS brands have supplied multiple services and processes in their system software that make remote access easy, encrypted transmissions easy, SSL certificate applying easy, 2-step authentication easy, UPNP and router pushing easy – you name it, they have tried to make it easy. But should they have? The ease of setting up a number of these services (as well as non-randomized settings in some places) can easily give users a false sense of security. So, for those users of a higher skillset, it would be acceptable that a NAS should only be remotely accessed with the highest layers of security applied, and it should not allow remote level access to be possible without some unique intervention and set-up by the end-user (not just a password and/or disabling an admin account), although to stop presets of this nature would lead to a noticeable spike in the difficulty of setup, perhaps that is what is needed. This is by no means a new issue we are discussing and even a brief google search online finds examples of attack vectors and methods as far back as 1999 on public/org sites.
However, in reality, it simply would not work like this, The user base of most established NAS brands are just too varied and though these tougher and more unique security implementations would secure things, the less technically skilled users would hit hurdle after hurdle, once again, one of the prices of some (not all) of that flexibility. Alot of users who have been hit by ransomware attacks have specifically headed to official forums because they do not have the remote setup experience that might be deemed an acceptable minimum to start opening ports via the NAS settings or directly on the router. This once again brings us back around to what should be the expected skill level of an average NAS Drive owner, how much of the control and security profile of the storage system belongs to the NAS manufacturer and how much should the buyer be expected to do independently? You can buy a car, you can fill it with petrol and the manufacturer can tell you its top speed, and miles to the gallon – but no car manufacturer would feel the need to add to all their adverts “must have a driving licence”, do they? It’s a rather stretched simile I know, but the fact remains that users cannot expect to connect their storage to the internet in 2024, open up pathways to it via the internet and not at least make allowances or provisions that an attack could happen. This leads us to the hardest and coldest fact of practically EVERY SINGLE NAS related recent ransomware attacks that, although only applies to a % of users, is still depressingly true.
How Backups and Data Storage are Still being Misunderstood – UNDERSTANDING WHAT A BACKUP IS, AND A NAS IS NOT!
A frighteningly large number of victims with no backup. Acceptable backup levels?
One of the hardest choices for anyone that has been successfully targetted by ransomware attackers (not exclusive to NAS either) is the choice to pay or not. When I am asked to make recommendations for a home or business user in the free advice section here on NASCompares or the comments on YouTube, I will always ask what the user storage quote is currently (now then double annually over 5yrs), their user base (volume and frequency) and their budget? That last one is always a kicker for some, as no one wants to show their cards! I’m not a salesman and I do not work for a eRetailer, I ask because there is a lot of ground between a £99 DS120j and a £5000 RS3621XS+. However, budget is INCREDIBLY important and should not only be measured by the number of 0’s in the account, but also by the cost of if the data is lost! Many users are so busy thinking of how much it will cost to provision for the future, that they are not factoring in the cost of replacing the past! This is the exact personal vulnerability that ransomware targets and sadly, a lot of users still do not understand 1) what a backup actually IS and 2) what a backup actually ISN’T.
If your data ONLY lives on the NAS, then the NAS is not a backup. You likely knew that. But socially and conventionally, we tend to forget it quite easily. We make space on phones by deleting stuff because ‘it is backed up on the NAS’. We sync our laptops and MacBooks with a remote folder to keep our files safe on the NAS, but still make changes or delete files on the hoof. We take the NAS as red as a backup and at that point, it isn’t! Likewise there are things that SOUND like backups… RAID… Snapshots… Hot Spares… they sound very reassuring, but are not backups, they are safety nets! And are all typically found ‘in system’. A REAL backup is something that is the same files, ELSEWHERE! There is no avoiding that a NAS (Synology, QNAP, TrueNAS, Whatever!) is NOT a backup solution in of itself, but can be used IN a Backup Strategy. All brands highlight at numerous points on their website that you should have a 1-2-3 Backup strategy, or a bare-metal and cloud backup, or a periodic USB backup, a NAS to NAS remote backup – or ALL of them! Sadly, there are a lot of users in the official NAS branded forums that have been hit by ransomware and did not have backups in place, with some knowledge that they needed a backup but their budget’s prohibited it. Whilst others say that a NAS brand publishes in its online literature that it’s a backup device, they bought it as a backup device, therefore the company missold it and that is the end of argument!
The sad truth is that the brand is not responsible for your backup routine or strategy, it supplies the means to store and access data and their responsibility (succeed or fail) is to ensure its hardware and/or software provides a default secure level of access, as well as the means to configure that access to the users control. There HAVE been vulnerabilities found and they have patched them, as is the usual process in these things (at least, they say they have at that is the best guarantee we can ever have from a brand in the circumstances), but they are NOT responsible for your backup routine. This now leads us to the subject of the NAS hardware, the NAS software and comparisons between brands.
Hardware vs Software Priorities – Is Synology Safer Than QNAP?
Hardware vs Software, QNAP vs Synology, Is the grass greener?
Way back in the mid twenty-teens, whenever I would discuss QNAP and Synology on the platform, I would always say that you go to Synology for the Software and QNAP for the Hardware. Synology’s DSM platform clearly makes up the bulk of the companies investment and attention, makes up a significant chunk of the price tag and is designed around keeping things as user-friendly as possible (within reason). This is why their devices at each generation refresh (DS918+>DS912+>DS923+ or DS218+>DS220+>DS224+) only make smaller increases on the previous generation – the software IS the focus. With QNAP we tend to see the hardware taking bigger leaps each generation. Better standard ethernet, better PCIe gens, Better CPUs much earlier and overall greater hardware at any given time. For PC builders and those that know a lot more about the contents of their laptop than the contents of their router, this is speaking THEIR language and makes the price tag translate better. Fast forward to now and although that logic still remains the same, these brands are more 60/40 in their architecture (where 60 = their preferred hardware or software bias). The issue starts when QNAP seem to rush their software out the door very quickly. Alongside a lot of more beta applications being available, they roll out a lot of new types of software that (and I am sorry to use that expression again, but) could have used more time in the oven. This approach to software development and release can be dicey and although it makes QNAP the more exciting platform (with its better hardware, more diverse software and continued AI or generally automated services), it also means that the platform has less of the layers of troubleshooting red-tape that Synology has (which inversely means the Synology product is going to be more expensive and less hardware rich, as that investment of time needs to be repaid to be justified). In recent years, QNAP has seemingly slowed down it’s hardware releases and rolled out more in software, introducing bounty programs for vulnerabilities, pen testing and is seemingly learning from their mistakes (we hope). Whilst Synology have further doubled down on software innovation, with solutions remaining longer in the market between refreshes) and continued on their path to continued dominance in NAS. Whether you look at the whole thing as a tortoise and the hare situation, or a case of ‘slow and steady wins the race’, there is no denying that Synology appears to take security more seriously than most other brands.
Look at the Apple TV box or Amazon FireTV / Firestick? Is it user-friendly? yes! Is it slick and intuitive? Yes! Is it flexible in the installation of 3rd party applications? NO (at least, not without workarounds)! Is it hardware-powerful? LORD NO! One glance on eBay will show you a thousand other media boxes at the same price with Android on board, 5-10x the hardware and customization coming out of the wazoo. Nevertheless, many users will not buy the apple/amazon media option because although they KNOW it will be slick and ‘hold your hand’ all the way, it will be a closed system, noticeably more expensive and even then “nothing is full proof, right?”. And a lot of the anger at QNAP for their increased ransomware targeting and handling of this needs to also be balanced against why a lot of users chose the QNAP NAS brand. The QNAP NAS platform does have good applications and services, some genuinely unique ones and ones that allow tremendous flexibility and customization – but users need to remain relative to what drew them to the platform and have sufficient backups AND safety nets in place. I would say this about QNAP, about Synology, hell… Google drive, DropBox, Backblaze… ALL of them have localized client tools that rely way too much on the success of versioning/roll-backs being possible on the cloud platform. None of them are 100% full proof and QNAP dropped the ball multiple times here, but none of these ways are unprecedented and should be provisioned for regardless of your NAS brand or cloud platform.
The Sad Truth about Servers, Security and Vulnerabilities
No platform, software or service is going to be 100% bulletproof. You can increase your personal layers of security (VPNs, Encryption, layers, restrictive white lists, etc) to hit 99.99% but whatever way you are looking at it, everything we use is software-based and therefore, fallible. Equally, users cannot pretend that it is still the early days of the internet anymore and still be annoyed when a statistical possibility that should have been factored against was not. Do I think NAS drives are safe? I’m sorry to say that the answer is never going to be a simple Yes/No. I think they provide what they say they provide and I think that NAS hardware is still the best in the market right now. But the majority of NAS brand software needs to be less rushed (I somewhat absolve Synology of this, as they seemingly take it 10/10 seriously!), the extra time/budget be spent on that software, or utilize a trusted 3rd party. The need to relinquish some of the customization of their platform in efforts to remove some of the configuration out of the hands of less tech-savvy users who end up overly reliant in defaults. Perhaps a much more rigorous setup policy that, on day 1, have an EXPERT door and a NOVICE door, with randomized defaults and extremely regimented update rules on the latter. Equally, the brand (though better than it was) needs to work on its communication with its end-user base, both in the event of critical issues and education on what the user base needs to have to increase security OUTSIDE of their product.
I still recommend the majority of turnkey NAS brands in the market in terms of their bse product and the range of security/system protection tools they include, but we need to be realistic and honest with ourselves about what we buy and our expectations. If I buy a NAS, I expect it to store the data I store in it and allow me access to it on my terms, but ‘my terms’ might be a lot more/less strict than the next person and with that comes due diligence in 2024. I hope that the last big ransomware attack, deadbolt from the start of 2022, is the last ‘big’ one we hear about moving forward, but I do not think it will be. More than just any one brand, one look at the vulnerabilities listed on security advisories of all the brands tell us that there is big money to be made by these intruders and the brands can only stay 1 step ahead. As always, me and Eddie here on NASCompares have been running a page that links to the bigger NAS security Advisory pages that gets regularly updated, so if you want to get notifications on these as they get added (pulled from the official pages themselves), then you can visit the page below and put your email in for updates when they happen. Have a great week and backup, backup, BACKUP.
Click Below to Read
Finally, If you are currently unaware of the Deadbolt ransomware attack that took place on QNAP NAS devices, you can find out more in the NASCompares article and video below:
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you.Need Help?
Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.
[contact-form-7]
TRY CHAT Terms and Conditions
If you like this service, please consider supporting us.
We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you.Anything you purchase on the day you click on our links will generate a small commission which isused to run the website. Here is a link for Amazon and B&H.You can also get me a Ko-fi or old school Paypal. Thanks!To find out more about how to support this advice service checkHEREIf you need to fix or configure a NAS, check FiverHave you thought about helping others with your knowledge? Find Instructions Here
Or support us by using our affiliate links on Amazon UK and Amazon US
Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.
Nexperia, un important fabricant de semi-conducteurs néerlandais, a été victime d'une cyberattaque par ransomware lors de laquelle les pirates sont parvenus à exfiltrer des données de l'entreprise. Voici ce que l'on sait sur cet incident de sécurité !
Établie aux Pays-Bas, l'entreprise Nexperia est un fabricant de semi-conducteurs présents dans le monde avec 15 000 employés répartis en Europe, aux États-Unis et en Asie. L'entreprise Nexperia fabrique et expédie plus de 100 milliards de produits par an, et elle réalise un chiffre d'affaires annuel de plus de 2,1 milliards de dollars.
Vendredi 12 avril 2024, un communiqué de presse a été publié par Nexperia afin de confirmer publiquement qu'un groupe de cybercriminels était parvenu à s'introduire sur certains serveurs. Cette intrusion a eu lieu en mars 2024 et dès qu'elle a été détectée, les équipes de Nexperia sont intervenues : "Nous avons rapidement pris des mesures et déconnecté les systèmes concernés de l'internet afin de contenir l'incident et de mettre en œuvre des mesures d'atténuation importantes."
En parallèle, Nexperia a ouvert une enquête dans le but d'identifier la nature et les conséquences exactes de l'incident. Les investigations sont menées en collaboration avec une équipe de spécialistes de chez FoxIT, sollicités en réponse à cet incident.
1 To de données dans la nature ?
Le 10 avril 2024, le site d'extorsion "Dunghill Leak" a annoncé le vol de 1 To de données confidentielles sur les serveurs de Nexperia. Si la rançon n'est pas payée par le fabricant néerlandais, Dunghill menace de publier les données (ou de les revendre à un tiers malveillant) suivantes :
371 Go de données sur la conception et les produits, y compris le contrôle de qualité, les accords de confidentialité, les secrets commerciaux, les spécifications techniques, les schémas confidentiels et les instructions de production.
246 Go de données d'ingénierie, dont des documents correspondants à des études internes et des technologies de fabrication.
96 Go de données commerciales et de marketing, y compris des analyses de prix.
41,5 Go de données liées aux ressources humaines, aux données personnelles des employés, avec notamment des copies de passeports de salariés.
109 Go de données de clients et d'utilisateurs, parmi lesquelles des marques comme SpaceX, IBM, Apple et Huawei.
121,1 Go de fichiers et de données diverses, dont des fichiers relatifs aux e-mails.
En guise de preuves, une partie des données a été divulguée par Dunghill : des images de composants électroniques scannés au microscope, des passeports d'employés et des accords de non-divulgation. Pour le moment, Nexperia ne s'est pas exprimé au sujet de ces documents.
Severe D-Link Security Vulnerability Discovered – CVE-2024-3273 and CVE-2024-3274 Hard-Coded Credential Backdoor
The cybersecurity landscape has been significantly impacted by the discovery of two vulnerabilities in D-Link NAS devices, designated as CVE-2024-3273 and CVE-2024-3274. These vulnerabilities affect multiple (approx 92,000 internet facing devices, the bulk of which are UK based) D-Link NAS models that are no longer supported by the manufacturer due to their end-of-life (EOL) status. This detailed analysis aims to unpack the complexities of these vulnerabilities, their operational implications, and the necessary user responses.
Impact and Affected D-Link NAS Model:
The confirmed list of affected D-Link NAS models includes:
Model
Region
Hardware Revision
End of Service Life
Fixed Firmware
Conclusion
Last Updated
DNS-320L
All Regions
All H/W Revisions
05/31/2020
Not Available
Retire & Replace Device
04/01/2024
DNS-325
All Regions
All H/W Revisions
09/01/2017
Not Available
Retire & Replace Device
04/01/2024
DNS-327L
All Regions
All H/W Revisions
05/31/2020
Not Available
Retire & Replace Device
04/01/2024
DNS-340L
All Regions
All H/W Revisions
07/31/2019
Not Available
Retire & Replace Device
04/01/2024
These devices, pivotal in small office/home office (SOHO) environments for data storage and management, are now susceptible to remote attacks that could compromise sensitive data integrity, availability, and confidentiality.
CVE-2024-3273 exposes a command injection flaw within the web interface of affected D-Link NAS devices. The vulnerability is located in the handling of the system parameter within the nas_sharing.cgi script, which improperly sanitizes user-supplied input. This oversight allows authenticated remote attackers to inject and execute arbitrary shell commands encoded in base64. The execution context of these commands is particularly concerning, as it typically runs under the web server’s privileges, potentially leading to unauthorized access to the system, modification of system settings, or initiation of a denial of service (DoS) attack.
Technical Dive into CVE-2024-3274: Hardcoded Credentials
CVE-2024-3274 reveals a hardcoded credential vulnerability, manifesting as a backdoor account (messagebus) embedded within the device firmware. This account, notably lacking a password, permits unauthenticated remote access to the device’s administrative interface. The presence of such hardcoded credentials significantly lowers the complexity of unauthorized device access, making it a critical vulnerability. This backdoor could be exploited in tandem with CVE-2024-3273 to elevate privileges or gain persistent access to the compromised device.
Who Found the D-Link Vulnerability?
The vulnerabilities were disclosed by a security researcher operating under the pseudonym “netsecfish,” who provided detailed technical insights and proof-of-concept (PoC) code. This disclosure highlighted the risk of widespread exploitation, given the estimated 92,000 devices exposed online across various regions, including the UK, Thailand, Italy, and Germany. The timing of the disclosure, subsequent to the affected models reaching their EOL, exacerbated concerns around feasible mitigation strategies.
Mitigation Strategies for Users Who Are Still Using A D-LInk NAS
In light of D-Link’s stance on not providing firmware updates for EOL products, affected users are faced with limited mitigation options. The primary recommendation is the retirement and replacement of vulnerable devices. Interim measures, for those unable to immediately replace their devices, include isolating the NAS devices from the internet, implementing strict network segmentation, and employing firewall rules to restrict access to the management interface. Additionally, monitoring for unusual network activity can provide early detection of exploitation attempts.
D-Link Official Response
D-Link has acknowledged the vulnerabilities but emphasized the EOL status of the affected models, which precludes official firmware updates or patches. The company has issued advisories urging users to replace outdated devices with supported models. This situation underscores the importance of adhering to device lifecycle policies and maintaining an updated infrastructure to mitigate security risks.
At the time of writing, there is no mention of this on their social media pages. Hopefully this changes, as the potential 82,000 internet facing units in the wild need to be addressed.
Exploitation in the Wild of the hard-code credential D-Link Vulnerability
GreyNoise, a cybersecurity firm specializing in analyzing internet-wide scan traffic to identify threats, has provided valuable insights into the exploitation attempts of the D-Link NAS vulnerabilities. According to their analysis, a significant uptick in scan activity targeting the specific vulnerabilities CVE-2024-3273 and CVE-2024-3274 was observed shortly after their disclosure. This activity suggests that attackers are actively seeking out vulnerable D-Link NAS devices for exploitation. GreyNoise’s findings indicate that the exploitation attempts are not isolated incidents but part of a broader effort by malicious actors to identify and compromise affected devices. The data collected by GreyNoise highlights the real-world implications of these vulnerabilities and serves as a critical alert for organizations and individuals to take immediate protective actions against potential unauthorized access and exploitation of their D-Link NAS devices.
The D-Link NAS Series is Still For Sale (Technically)
Despite the end-of-life status and known vulnerabilities of D-Link NAS models DNS-340L, DNS-320L, DNS-327L, and DNS-325, these devices continue to find a marketplace on platforms such as eBay and other online resale venues. This ongoing sale of used units poses a significant cybersecurity risk, as many sellers and buyers may not be fully aware of the devices’ vulnerability to exploits. Alarmingly, at the time of writing, it is reported that over 80,000 of these units remain actively internet-facing, directly exposing them to potential exploitation by attackers leveraging the CVE-2024-3273 and CVE-2024-3274 vulnerabilities. The persistence of these devices in active operational environments underscores the critical need for heightened awareness and proactive measures among current users. Potential buyers should be cautioned against acquiring these models, and existing users are strongly advised to consider secure alternatives that receive current manufacturer support and updates, mitigating the risk of compromise.
I own a Synology/QNAP NAS, Should I Care? How to Automatically Get Updated When Synology and QNAP NAS Vulnerabilities are Reported
Pretty much ALL of the brands in NAS, Data Storage and Cloud services have these security advisory pages, but the idea of checking these pages manually (i.e. bookmark etc) every day, week or month is too much of a hassle for many. On the other hand, they all arrive with an RSS feed link that allows users to subscribe to updates BUT many users are not even aware of how to apply an RSS feed (it’s a complex XML feed of text that needs to be injected into an appropriate RSS feed client/agent – so yeah, hardly noob friendly). So, in order to make this 1000x easier, I have (and by me, I mean Eddie the Web Guy spent time on it and I made this article!) made this page that will be constantly updated with the latest vulnerabilities reported on the popular NAS brands and storage-related manufacturers. It is still being built (so more brands are being added) but it will allow you to just chuck your email address below (will not be used for profit or spamming etc) and then you will get an alter EVERY TIME a new security vulnerability is updated by the brands (this is automated, so it will appear here as soon as it appears on the respective security advisory page). Additionally, there will be links back to the brand/manufacturer site so you can find out more about individual exploits and vulnerabilities, how they work, what they do and (most importantly) give you a better idea of whether you should update your NAS/Storage system or not. I hope you find it helpful and if you have any recommendations or idea of what we should add to this page/service to make it even better – let us know in the comments or directing here – https://nascompares.com/contact-us
Sign Up Below to Get Updates as New Vulnerabilities Are Reported
Get an alert every time something gets added to this specific article!
Beyond immediate mitigation, users should consider several best practices for network device security:
Conduct regular security audits of network devices.
Update all devices to the latest firmware versions where possible.
Employ network firewalls and intrusion detection systems to monitor and control inbound and outbound traffic.
Practice the principle of least privilege by restricting device access to necessary personnel.
Conclusion
The vulnerabilities identified as CVE-2024-3273 and CVE-2024-3274 in D-Link NAS devices present significant security challenges. The absence of official firmware updates for these EOL products necessitates proactive user measures to mitigate risks. This analysis serves as a call to action for users to evaluate their network security posture critically, implement robust security measures, and ensure that all network-attached storage devices operate within their supported lifecycle.
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you.Need Help?
Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.
[contact-form-7]
TRY CHAT Terms and Conditions
If you like this service, please consider supporting us.
We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you.Anything you purchase on the day you click on our links will generate a small commission which isused to run the website. Here is a link for Amazon and B&H.You can also get me a Ko-fi or old school Paypal. Thanks!To find out more about how to support this advice service checkHEREIf you need to fix or configure a NAS, check FiverHave you thought about helping others with your knowledge? Find Instructions Here
Or support us by using our affiliate links on Amazon UK and Amazon US
Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.
Un nouveau gang de ransomware surnommé SEXi est parvenu à compromettre l'infrastructure du fournisseur de services chilien IXMetro Powerhost ! Lors de cette attaque, les pirates ont chiffré des serveurs VMware ESXi ainsi que des sauvegardes ! Faisons le point.
PowerHost est un fournisseur de services spécialisés dans les centres de données et l'hébergement, implanté en Amérique du Sud, notamment avec sa division IXMetro présente au Chili, aux États-Unis, et en Europe.
Samedi 30 mars 2024, tôt en début de journée, IXMetro a subi une cyberattaque lors de laquelle les pirates sont parvenus à chiffrer plusieurs serveurs VMware ESXi notamment utilisés pour héberger des serveurs privés virtuels de clients (VPS). De ce fait, les services hébergés sont inaccessibles.
Les équipes d'IXMetro cherchent à restaurer les données de leurs serveurs et de leurs clients à partir de précédentes sauvegardes, mais la tâche ne s'annonce pas simple : les sauvegardes sont également chiffrées. Ricardo Rubem, le CEO de PowerHost, affirme qu'il a essayé de négocier avec les cybercriminels, car il a envisagé de payer la rançon : "J'ai négocié avec le pirate, qui a exigé un montant exorbitant de bitcoins par client : 2 BTC pour chacun, soit environ 140 millions de dollars.", précise-t-il.
Le ransomware SEXi
Le gang de ransomware SEXi serait une menace relativement récente et cette attaque serait son premier "gros coup" ! D'après le chercheur en sécurité Germán Fernández, lorsque des fichiers sont chiffrés par ce ransomware, l'extension ".SEXi" est utilisée, et ceux-ci sont accompagnés par une note de rançon nommée "SEXi.txt".
D'après le site BleepingComputer, ce gang mène des attaques depuis mars 2023, mais cela reste à confirmer. Ce qui est certain, c'est que les cybercriminels du groupe SEXi cible seulement les hyperviseurs VMware ESXi, ce qui en fait une menace supplémentaire pour les infrastructures de virtualisation basées sur la solution VMware by Broadcom.
Pour le moment, nous ignorons si ce gang de ransomware applique le principe de la double extorsion, car à l'heure actuelle, ce gang ne semble pas avoir de site dédié aux fuites de données.
Les cyberattaques par ransomware sont particulièrement redoutées compte tenu de leur effet destructeur dans une organisation. Une entreprise de cybersécurité nous raconte de l'intérieur l'attaque contre une collectivité territoriale.
Des hackers du groupe BlackCat ont reçu une rançon d'environ 20 millions d'euros provenant d'une société d'assurance, puis ont disparu avec l'argent pour ne pas avoir à partager les gains avec les autres malfrats.
Du côté de la Suisse, le National Cyber Security Centre (NCSC) est revenu sur la fuite de données qui a fait suite à l'attaque par ransomware subie par l'entreprise Xplain. Les pirates ont bien mis en ligne des milliers de fichiers sensibles appartenant au gouvernement fédéral.
Pour information, en Suisse, le NCSC est l'équivalent de l'ANSSI en France.
Le 23 mai 2023, le célèbre gang de ransomware Play est parvenu à pirater l'infrastructure de Xplain, une entreprise importante en Suisse. Il s'agit du fournisseur de services informatiques des autorités nationales et cantonales. En juin 2023, le gang de ransomware Play avait mis en ligne sur le Dark Web les données volées, en affirmant qu'il s'agissait de données sensibles et confidentielles.
Ce jeudi 7 mars 2024, le gouvernement suisse a publié un nouveau rapport qui fait suite à l'analyse des données effectuées par le NCSC. Le gouvernement confirme que 65 000 documents gouvernementaux ont été divulgués par les cybercriminels. En fait, cela correspond à 5% de la totalité des données volées dans le cadre de cette cyberattaque, car il est question de 1,3 million de fichiers, au total.
En ce qui concerne ces 65 000 documents appartenant au gouvernement, il faut savoir que :
95 % de ces fichiers concernent les unités administratives du Département fédéral de justice et police (DFJP) : l'Office fédéral de la justice, l'Office fédéral de la police, le Secrétariat d'État aux migrations et le centre de services informatiques internes ISC-FDJP.
3 % de ces fichiers sont issus de deux entités faiblement impactées : le Département fédéral de la défense et la protection de la population et des sports (DDPS)
Environ 5 000 documents contenaient des informations sensibles, que ce soit des données personnelles (noms, adresses électroniques, numéros de téléphone et adresses postales), des détails techniques, des informations classifiées et même des mots de passe de comptes.
Par ailleurs, le rapport précise : "En outre, 278 dossiers contenaient des informations techniques telles que de la documentation sur les systèmes informatiques, des documents sur les exigences logicielles ou des descriptions architecturales, 121 objets étaient classifiés conformément à l'ordonnance sur la protection de l'information et 4 objets contenaient des mots de passe lisibles." - Ceci représente probablement une véritable mine d'informations pour les cybercriminels qui ont pu mettre la main sur ces données.
L'analyse de ces données a nécessité plusieurs mois de travail, ce qui peut se comprendre compte tenu de la quantité de fichiers volés lors de cette cyberattaque.
Moins d'une semaine après l'opération Cronos menée par les forces de l'ordre, le gang de cybercriminels LockBit est déjà de retour avec une nouvelle infrastructure. LockBit se dit prêt à effectuer de nouvelles attaques et menace de s'en prendre aux entités gouvernementales. Voici ce que l'on sait.
Lundi 19 février 2024, Europol et les forces de l'ordre de plusieurs pays, dont la France, ont mené l'opération Cronos, qui a permis de porter un coup d'arrêt important aux activités du gang de ransomware LockBit. Les autorités sont parvenues à couper plusieurs sites, à récupérer 34 serveurs, mais également le code source du ransomware, des clés de déchiffrement, etc... Ce qui a permis de créer rapidement un outil de déchiffrement pour LockBit 3.0.
Samedi 24 février 2024, LockBit a mis en ligne un nouveau site vitrine associé à une nouvelle adresse en ".onion" et qui répertorie déjà 5 nouvelles victimes ! Comme à chaque fois, ceci est associé à un compte à rebours pour la publication des données volées.
PHP et la vulnérabilité CVE-2023-3824
LockBitSupp, qui est à la tête de LockBit en a profité pour donner son avis sur ce qu'il vient de se passer, mais également sur l'avenir. Les forces de l'ordre sont parvenues à pirater les serveurs grâce à une faille de sécurité PHP "parce que, après avoir nagé dans l'argent pendant cinq ans, je suis devenu très paresseux", précise-t-il. Effectivement, il indique qu'il a empoché 100 millions de dollars grâce à cette activité.
Il indique que les serveurs avec les interfaces d'administration et le chat n'ont pas été mis à jour, et qu'une version vulnérable de PHP était utilisée. D'après lui, le FBI a exploité la faille de sécurité critique "CVE-2023-3824" présente dans PHP 8.1.2 pour compromettre deux serveurs. Même s'il y a toujours un doute à ce sujet, et que le FBI pourrait avoir exploité une faille de sécurité zero-day.
LockBit estime que les forces de l'ordre ont pris la décision de s'attaquer à leur infrastructure pour éviter la fuite de certaines informations compromettante dans les affaires judiciaires de Donald Trump, et qui pourraient impacter les prochaines élections américaines. Ce qui donne des idées à LockBit : attaquer plus souvent les entités gouvernementales, pour voir dans quelle mesure le FBI est en mesure de riposter. Une manière de narguer les forces de l'ordre.
D'ailleurs, il est important de préciser qu'il utilise le terme "FBI" pour mentionner le FBI, mais également les forces de l'ordre des autres pays qui ont participé à l'opération Cronos : France, Suisse, Japon, Suède, Canada, etc.
LockBit veut renforcer la sécurité de son infrastructure
Les membres de LockBit semblent également bien décidés à renforcer la sécurité de leur infrastructure, notamment grâce à la décentralisation des informations et une meilleure gestion des clés de déchiffrement. L'objectif étant de rendre plus difficile la récupération des données même lorsque les forces de l'ordre parviennent à mettre la main sur des serveurs de LockBit.
Avec cette nouvelle infrastructure, le gang de ransomware souhaite "la protection maximale des déchiffreurs pour chaque entreprise (victime)."
Même si LockBit est de retour, l'opération Cronos reste un très joli coup ! Elle a forcément affaibli LockBit d'une certaine manière, rien qu'au niveau de la confiance entre LockBit et ses affiliés. Malgré tout, méfions-nous des "ripostes" dans les semaines et mois à venir....
Les forces de l'ordre n'ont pas révélé l'identité du leader de Lockbit. Cependant, le dernier message des autorités apparaît comme une manœuvre pour discréditer LockbitSupp. L'opération Cronos, qui a fait tomber ce gang de ransomware, devrait encore produire d'importantes répercussions.
Une opération internationale des forces de police, dont la Gendarmerie nationale, a permis de stopper le plus important groupe de hackers, Lockbit. Les visages de certains membres de ce gang sont connus publiquement.
La police nationale ukrainienne et la Gendarmerie Nationale ont déclaré avoir arrêté deux membres du gang de hackers Lockbit dans une ville à l'ouest de l'Ukraine. Ils étaient en charge, entre autres, du blanchiment d'argent.
Le mardi 20 février, le site internet principal du groupe de ransomware influent LockBit a été fermé suite à une opération de police coordonnée de 11 pays. Ce cyber-gang, actif depuis 2020 et décrit comme « le plus prolifique et le plus dangereux au monde » par Europol, revendique plus de 1700 attaques depuis sa création. Communiqué […]
Les forces de police de 10 pays ont hacké le site des cybercriminels de Lockbit et ont affiché des noms, des mandats d'arrêts et des moqueries contre les membres du gang.
L'énorme coup réalisé par les forces de l'ordre dans le cadre de l'opération Cronos se confirme : les clés de déchiffrement pour le ransomware LockBit sont entre les mains des autorités, ce qui va permettre de déchiffrer les données gratuitement !
L'opération Cronos est véritablement un coup d'arrêt pour le gang de cybercriminels LockBit. Au-delà d'être parvenu à arrêter les serveurs associés au site vitrine des malfaiteurs, les autorités sont parvenues à récupérer le code source du ransomware LockBit. Cette information a été confirmée par la National Crime Agency (NCA) du Royaume-Uni.
Comme on pouvait s'y attendre, d'autres détails sur cette intervention commencent à être diffusés. Tout d'abord, il faut savoir que les autorités ont pu arrêter 2 membres de LockBit en Pologne et en Ukraine. À cela s'ajoutent le gel de 200 comptes de crypto-monnaie liés au groupe de cybercriminels.
Un outil de déchiffrement est disponible !
Les autorités ont pu arrêter 34 serveurs utilisés par le gang de ransomware LockBit, sur lesquels ils sont parvenus à obtenir plus de 1 000 clés de déchiffrement ! Il s'agit d'une information capitale ! En effet, les autorités sont parvenues à créer un outil de déchiffrement pour LockBit 3.0 !
Le rapport mis en ligne par Europol précise : "Avec le soutien d'Europol, la police japonaise, la National Crime Agency et le Federal Bureau of Investigation ont concentré leur expertise technique pour développer des outils de déchiffrement destinés à récupérer les fichiers chiffrés par le ransomware LockBit".
Cet outil de déchiffrement pour LockBit 3.0 est disponible sur le site "No More Ransom" ! Il doit permettre la récupération des données chiffrées par le ransomware LockBit 3.0 sans avoir à payer la rançon ! D'après un rapport d'Eurojust : "Les attaques de LockBit auraient touché plus de 2 500 victimes dans le monde entier."
Nous ne sommes qu'au mois de février, et pourtant, il pourrait déjà s'agir du coup de l'année sur la scène de la cybersécurité ! Les autorités sont parvenues à mettre hors ligne le site de LockBit, qui est probablement le gang de cybercriminels le plus actif depuis plusieurs années. Faisons le point sur cette intervention !
Depuis le 19 février 2024, le site du gang de ransomware LockBit a été mis hors ligne ! Il était utilisé par les pirates comme vitrine puisqu'il servait à publier les noms des victimes, mais également les montants des rançons et les données volées dans le cadre des attaques.
Désormais, le site de LockBit ressemble à ceci :
Source : BleepingComputer
La National Crime Agency du Royaume-Uni s'est exprimée sur le sujet : "La NCA peut confirmer que les services de LockBit ont été interrompus à la suite d'une action internationale. Il s'agit d'une opération en cours et en développement."
En effet, les forces de l'ordre et organismes de 11 pays sont à l'origine de cette opération, nommée officiellement l'opération Cronos et menée à l'internationale. En effet, la France a participé par l'intermédiaire de la Gendarmerie Nationale, mais elle n'était pas seule puisque le FBI était aussi de la partie, accompagné par l'Allemagne, le Japon, la Suède, le Canada, ou encore la Suisse.
D'après le membre LockBitSupp, qui serait à la tête de LockBit et qui s'est exprimé par l'intermédiaire du service de messagerie Tox, le FBI est parvenu à accéder aux serveurs de LockBit à l'aide d'un exploit PHP. Les forces de l'ordre sont également parvenues à mettre hors ligne l'interface dédiée aux affiliés de LockBit. Un message indique que le code source de LockBit a pu être saisi (celui du ransomware ?), ainsi que des conversations et des informations sur les victimes.
Pour rappel, le gang de ransomware LockBit est à l'origine de plusieurs grandes cyberattaques, y compris en France :
Reste à savoir quel sera l'impact réel de cette opération sur les activités malveillantes menées par le gang de cybercriminels LockBit. N'oublions pas que LockBit est une véritable organisation criminelle, très bien organisée, avec des processus clairs, etc...
Les autorités devraient s'exprimer prochainement sur le sujet. Nous pouvons les féliciter pour cet excellent travail effectué dans la lutte contre le cybercrime !
Le site des hackers russophones de Lockbit a été mis hors-ligne par les forces de l'ordre de plusieurs pays, dont la Gendarmerie nationale. Ces pirates sont responsables de plusieurs cyberattaques, dont celles contre l'hôpital de Corbeil-Essonnes, la Poste Mobile et le département du Loiret.
MrAgent, c'est le nom du nouvel outil mis au point par le gang de ransomware RansomHouse ! Son rôle ? Automatiser sa propagation d'un hyperviseur VMware ESXi à un autre pour chiffrer les machines virtuelles. Faisons le point sur cette menace.
Lancé en décembre 2021, RansomHouse est ce que l'on appelle un Ransomware-as-a-Service, et il a été utilisé pour cibler de grandes organisations tout au long de l'année 2023, d'après un rapport de Trellix. Il est capable de s'attaquer aux hyperviseurs VMware ESXi dans le but de chiffrer les machines virtuelles, et c'est loin d'être le seul ransomware à avoir cette capacité.
Et visiblement, les cybercriminels ont décidé de passer à la vitesse supérieure grâce à l'utilisation d'un outil baptisé MrAgent. Il a été découvert par les analystes de Trellix, suite à des investigations menées en réponse à des incidents de sécurité.
MrAgent agit en complément du ransomware et il reçoit des ordres de la part des pirates depuis un serveur C2 qui sert d'intermédiaire. Il a pour objectif d'identifier le système local, de désactiver le pare-feu, et de se propager sur d'autres hyperviseurs VMware ESXi dans le but de faire un maximum de dégâts. En effet, sur chaque hyperviseur où il parvient à se déployer, il va automatiquement chiffrer les machines virtuelles. Il va également surveiller l'activité de l'hyperviseur pour arrêter tous les processus qui pourraient interférer avec l'opération de chiffrement.
Les cybercriminels peuvent configurer MrAgent à distance pour planifier le chiffrement des machines virtuelles, pour ajuster les paramètres de chiffrement ou encore pour modifier le mot de passe de l'hyperviseur VMware.
Le rapport de Trellix précise : "Les efforts déployés pour automatiser (davantage) les étapes qui sont souvent exécutées manuellement montrent à la fois l'intérêt et la volonté de l'attaquant de cibler de grands réseaux." - Ceci correspond au fait que RansomHouse s'attaque en priorité aux grandes organisations.
Enfin, les analystes de Trellix ont également pu identifier une version de MrAgent compatible Windows. Ceci montre que le gang de ransomware RansomHouse a l'ambition d'automatiser ce processus aussi bien sur des machines Linux que des machines Windows.
Des chercheurs en sécurité sont parvenus à identifier une vulnérabilité dans le fonctionnement du ransomware Rhysida ! Grâce à elle, ils ont pu mettre au point un outil de déchiffrement qui va permettre aux victimes de récupérer leurs données gratuitement !
Le ransomware Rhysida
C'est la première fois qu'un outil de déchiffrement est disponible pour le ransomware Rhysida. D'ailleurs, il est plutôt récent puisqu'il a été repéré pour la première fois en mai 2023. Ce gang de ransomware applique le principe de la double extorsion, comme beaucoup d'autres gangs, afin de mettre un maximum de pression sur les victimes.
En novembre 2023, aux Etats-Unis, ce gang de ransomware qualifié d'opportuniste, avait fait l'objet d'une alerte de sécurité émise conjointement par le FBI et la CISA.
Une vulnérabilité dans le processus de chiffrement
La semaine dernière, un outil de déchiffrement pour le ransomware Rhysida a été publié par un groupe de chercheurs de l'université Kookmin, située en Corée du Sud, en collaboration avec la KISA, à savoir l'agence coréenne spécialisée dans Internet et la sécurité.
Pour parvenir à mettre au point cet outil, les chercheurs en sécurité ont découvert une vulnérabilité dans le schéma de chiffrement du ransomware, et ils ont pu restaurer l'état du générateur de nombres pseudo-aléatoires cryptographiquement sécurisé (CSPRNG) pour obtenir une clé de déchiffrement.
En fait, ils expliquent que ce ransomware effectue un chiffrement partiel des données, comme d'autres ransomwares, et il s'appuie à un moment donné sur l'heure du système pour obtenir une valeur afin de générer la clé de chiffrement. Cette valeur n'est pas suffisamment sécurisée (entropie trop faible) et elle est prédictible, notamment en identifiant l'heure de l'infection.
Les chercheurs ont mis au point un outil capable de tester plusieurs valeurs. Une fois la bonne valeur trouvée, tous les nombres aléatoires utilisés par le ransomware pour chiffrer les données peuvent être prédits, ce qui permet de restaurer les données sans réellement avoir connaissance de la clé privée. Ainsi, l'opération de chiffrement est inversée.
La bonne nouvelle, c'est qu'il y a un outil de déchiffrement prêt à l'emploi, pour Windows, qui est disponible sur le site de l'agence KISA. En principe, vous pouvez utiliser cet outil pour restaurer les données chiffrées par le ransomware Rhysida.
Il s'avère que cette vulnérabilité dans le processus de chiffrement du ransomware Rhysida était déjà connue depuis plusieurs mois par des entreprises spécialisées dans la cybersécurité, ainsi que des entités gouvernementales, comme le CERT-FR. Elle a pu être utilisée en privé, sans qu'elle soit divulguée comme c'est le cas ici. Ainsi, de nombreuses entreprises n'ont jamais eu à payer la rançon pour récupérer leurs données. Un joli coup !
Connexion
