ech0raix

Macace

We planed to restore the infected HDDs with a Desktop PC. After that we do a all sector format of the HDDs.

Original it was a Raid1 system. Now we make two volumes. The second volume is only for the internal automatic backupsystem.

Also we do a manual external backup via PC and a Image Program. (e.g. EaseUs or Acronis)

There is no offical statement to this from Zyxel till today. We did not know, how the NAS was hacked. Very bad customer service, this was my last product from this company !

There is possibility to install OpenMediaVault to the NAS. This will be also an option for the future.

Mijzelf

There is no offical statement to this from Zyxel till today. We did not know, how the NAS was hacked. Very bad customer service, this was my last product from this company !

Although I agree that ZyXEL could have said something about this malware, I think it's perfectly possible that ZyXEL also doesn't know which vulnerability is used to get in. There are no logs. The malware itself tries to hide itself, and how it got in. When you look at the releasenotes of ABAG.14, you see that some vulnerabilities are addressed:

[SI-1545][Issue 3-2] Privilege escalation vulnerability 2

[SI-1545][Issue 4] Remote code execution vulnerability

[SI-1545][Issue 5] Arbitrary file upload and remote code execution vulnerability

[SI-1545][Issue 6] Unauthenticated backdoor vulnerability

[SI-1545][Issue 7] Weak password generation for privileged user vulnerability

But I can imagine that not everything is addressed. Finding vulnerabilities is tough work. Yesterday it was announced that a vulnerability is found in openssh. The story reads like a detective novel. It has been there for years, and openssh is one of the best monitored software package in the world.

Simon01

@Macace

Yes, I have a new fake user in my NAS542, but only one.

My NAS542 is configured with 3 x 4TB Hard Disks.

One of the 4TB Hard Disks are used/reserved to Raid 5, so actual there are 8TB useable.

When I observed the infected NAS542, I made a panic solution:

1 Power down NAS542 and switch main power OFF.

2 Open my networks router and close all ports there was used to external NAS access.

3 Power down all units on my local network

4 Restart NAS542

5 Login with iPad (More safe with apple ios iPad 17.5.1 ?)

6 When NAS542 login page shown, it was recommend firmware update, and I answered YES.

7 After update, checked user login, file names, (All save files extended xxx.encrypt)

8 Changed admin login password

9 Power NAS542 down, and go stand-by.

I guess it is a good idea to make a factory reset and then start on a default NAS542.

I am ready to change my Raid 5 setup to Raid 1 and then start with one Hard Disk only.

Is it possible to run a low-level format of the Hard Disks, with the NAS542 internal operation system / software? (Factory reset before and after HD format)

If not, I guess I would buy a new single hard disk, and make a factory reset.

Macace

Hello

LowLevel format is not possibel with the NAS at normal Way.

1. Remove all drives

2. Do a factory reset

3. Upgrade to the newest FW. ABAG.15

4. Insert only one Drive. All Data are not readable because it was from a Raid5, so in my Opinon it should be save enought.

5. Create a new Volume with that Drive.

Raid1 makes after this no sense for me. Create two or three single volumes with the three HDDs and use one of them for internal Backup.

Access from Outside to the NAS in the future only via VPN. (e.g. with Wireguard from the Fritzbox )

Macace

@Mijzelf:

You are more active in the forum than me. Are here also offical Zyxel workers, as in the past in the old forum?

A main problem from the NAS also is, there is no automatic warning possible, that the firmware is old and should be update. Which user look to this when his NAS works.

Btw the price for new the NAS542 sinks rapide in the moment…

lucirau

I don't have back-up for my files, do you know if it is a way to recover my documents? Tks.

Macace

I have a call with the company Kroll Ontrack.

They are specialist for such problems. No way, because it is the newer version of this ransomware.

The only way is, to pay and hope you become the key. 50:50 chance.

Mijzelf

@Macace

Are here also offical Zyxel workers, as in the past in the old forum?

Yes, but not often. You can recognize them on their nicknames starting with Zyxel_.

A main problem from the NAS also is, there is no automatic warning possible, that the firmware is old and should be update. Which user look to this when his NAS works.

What do you mean? A sonic alarm that a new firmware is available? E-mail? AFAIK the firmware warns you when a new firmware is available when you login on the webinterface. (Unless you switched off the automatic check).

And yes, the firmware is old. I suppose that is one of the reasons that a Zyxel costs half of what a corresponding Synology costs.

Macace

E-Mail Warning as Synology it do will be a good solution in my opinion.

Yes it costs half of a Synology, this was main reason to buy it, because the hardware power was near the same.

I will try to install OMV to one Zyxel. If this works good, that will be a possible soluition for a low cost system. The second cheap way is xpenology bare metal.

I have found some new Infos, when i read it correct, the problem was offical reported and a few days later the hackers have done it.

Here are the related infos:

https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/

https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/

Simon01

@Macace

Hello

I was going to my local PC shop and bought two new Hard Disks.

1 Before mounted HD’s in my NAS 542, I removed all old HD’s,

2 Made a factory reset (once again) and updated firmware to ABAG.15.

3 Mounted the two brand-new HD’s and power up. (100% clean HD’s)

4 After power up, select RAID 1 (Two HD’s)

5 All looks OK, login, change password, check both HD’s installed correct.

6 BUT, after 10 minutes, something strange happened:

Both HD’s was very byssi, the LED’s was flashing very fast. (Maybe it is normal ?)

I was a little worried, so I made check/screen-dumps of the log file.

Log (Partly):

Approximately 12 minutes after power up:

Class: backup Severity: info Message: zysync server v2.00 starting, listening on port 873

Approximately 20 minutes after power up:

Class: user Severity: notice Message: Add new user zin7hcFg_V07- - - -

After above, I made a check of NAS542 registered users:

#1: admin System default user (After factory reset)

#2: pc-guest Guest (After factory reset)

#3: zyxel@”My e-mail addr” Cloud user (Automatic Add-on user after power-up?)

I am a little surprised over user #3, I have used this mail address to Zyxel registration for 8 years ago? (Not since, I open normal a specific mail address to companies).

After a factory reset, I expected all these setup was total cleared?

After approximately 25 minutes, I powered NAS542 down, because of bad filling, that something was wrong!

I have removed both new HD’s and made a new factory reset, so now I’ am standby once again.

What’s happened inside this NAS542?