Search This Blog

Showing posts with label Security System. Show all posts

Multiple QNAP NAS Devices Targeted by eCh0raix Ransomware

 

Customers of QNAP network-attached storage (NAS) devices are reporting that their systems are being targeted with the eCh0raix ransomware, often known as QNAPCrypt. The attackers behind this explicit malware ramped up their exercise a few weeks earlier than Christmas, gaining control of the units with administrator privileges. 

The surge in attacks 

According to BleepingComputer, many users of QNAP and Synology NAS systems have been regularly reporting eCh0raix ransomware assaults but more of them started to reveal incidents around December 20. The surge in the number of attacks is confirmed by the ID ransomware service, where submissions started to increase on December 19 and reached a peak on December 26.

At this time, it remains unclear how hackers exploited the QNAP devices, some users claim that attackers abused a vulnerability in the Photo Station software to hack them and others admit they were reckless and did not secure the device properly. 

Regardless of the attacking methodology, it seems that attackers first create a user in the administrator group, then use it to encrypt the content of the NAS system. The malware encrypted pictures and documents, according to QNAP users, some of whom were using the NAS system for business purposes. 

Another thing that stands out in this malicious campaign is the fact that the extension related to the ransom note appears to be mistyped, as the “.TXTT” extension was used. This extension does not impact the display of the instructions; however, some users might have to open the file with certain programs like Notepad. 

Threat actors demand ransom ranging from .024 ($1,200) to .06 bitcoins ($3,000) during these recent attacks. Some users had no backup options and had to pay the attackers to recover their files. “It is important to note that there is a free decryptor for files locked with an older version (before July 17th, 2019) of eCh0raix ransomware. However, there is no free solution to decrypt data locked by the latest variants of the malware (versions 1.0.5 and 1.0.6),” reported BleepingComputer. 

eCh0raix/QNAPCrypt assaults started in June 2019 and have remained a continual threat ever since. QNAP warned its users earlier this year regarding a new wave of eCh0raix attacks that targeted devices with weak passwords.

Honeypots Experiment Discloses What Attackers Seek From IoT Devices

 

To understand why threat actor targets specific devices, researchers at the National Institute of Standards and Technology (NIST) and the University of Florida conducted a three-year-long honeypot experiment involving simulated low-interaction IoT devices of diverse sorts and locations. The honeypot was intended to create a fairly diverse ecosystem and gather the data to determine the aim of the opponent. 

According to researchers, IoT (Internet of Things) devices, which include tiny internet-linked gadgets like cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and more, constitute an expanding business. Over 40-billion of these devices are expected to be linked to the Internet by 2025, providing network access points or computing resources that can be used in unauthorized encryption or as part of DDoS assaults. 

Server farms, a vetting system, and data collection and processing infrastructure were among the three components of the honeypot ecosystem designed by researchers. The researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are off-the-shelf IoT honeypot emulators to create a diverse ecosystem.

The researchers designed their appearances to look like actual devices on censys and Shodan, two specialized search engines that find the internet-linked services. The following were the three primary types of honeypots: 

• HoneyShell – Emulating Busybox 
• HoneyWindowsBox – Emulating IoT devices running Windows 
• HoneyCamera – Emulating various IP cameras from Hikvision, D-Link, and other devices. 

The trial yielded data from 22.6 million hits, with the vast majority targeting the HoneyShell honeypot. The various actors used comparable attack patterns because their objectives and means of achieving them were identical. 

For example, the majority of attackers implement commands such as “masscan” to scan for open doors and“/etc/init.d/iptables stop” to deactivate the firewalls. In addition, many attackers execute "free -m", "lspci grep VGA", and "cat /proc/cpuinfo", all three aiming to gather hardware information about the target device.

Interestingly, nearly a million hits were discovered when the “admin / 1234” username-password combination was tested, suggesting that the credentials are overused in IoT devices. In terms of end goals, the researchers unearthed that the HoneyShell and the HoneyCamera honeypots were targeted mainly for DDoS recruitment and were frequently infected with a Mirai version or a coin miner.

“Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” reads the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”

Security System Enhanced by Google and Mozilla

 

The development teams of Google and Mozilla shared their progression regarding the minimization of classic web security attack vectors such as cross-site request forgery (CSRF) and cross-site scripting (XSS). The latest browser security features present assurance of destroying or at least bringing down the classic web security attack vectors. 

Google elaborated in a blog post last year on how to strengthen its security mechanism and safeguard its applications from usual web susceptibilities and the features safeguarding its applications are Content Security Policy and Trusted Types - depends on script nonces, Cross-Origin Opener Policy and Fetch Metadata Request Headers. 

These security mechanisms safeguard the application from injected strikes and enhance isolation capacities. Google stated that even if the small segment of the malicious script is inserted by an attacker, “the browser will refuse to execute any injected script which doesn’t identify itself with the current nonce” and this eases down the impact of any server-side inserted susceptibilities containing reflected XSS and reflected XSS. 

The Content Security Policy (CSP) was refined by the enforcement of these developments by Google and the tech giant stated that “CSP has mitigated the exploitation of over 30 high-risk XSS flaws across Google in the past two years. Nonce-based CSP is supported in chrome, Firefox, Microsoft Edge, and other Chromium-based browsers. Partial support for this variant of CSP is also available in Safari”.

Meanwhile, Mozilla spokesperson stated to The Daily Swig that Mozilla’s security was boosted due to the injection of Project Fission last year and the Firefox security team has played a massive role in making the internet more secure for all users. He added that the primary aim for this team has been Project Fission and Mozilla’s enforcement of Site Isolation in Firefox; currently. the Project Fission can be tried out in the Nightly version of the search engine.

Project Fission along with Embedded Policy and Cross-Origin Opener is the component of Mozilla’s mitigations against Spectre-style strikes. The search engines must add the security mitigations that support today’s browsing experience. 

Santiago Diaz, who is working as an information security manager at Google stated that on the inserted side Trusted Types and CSP3 are “battle-tested mitigations that make the vast majority of DOM-based XSS unexploitable when used correctly”.