ech0raix

Macace · July 2

@Simon01:
Do you also have the three or more fake Users ?

@all
I have update the infected NAS to the newest firmware without HDDs. After that I have done a factory reset. Than I insert for test another HDD in the NAS. At the Moment it work.

The owner of my infected NAS planed to pay the 0.019 BTC because her backup was in parts defective.

Macace · July 2

We planed to restore the infected HDDs with a Desktop PC. After that we do a all sector format of the HDDs.

Original it was a Raid1 system. Now we make two volumes. The second volume is only for the internal automatic backupsystem.

Also we do a manual external backup via PC and a Image Program. (e.g. EaseUs or Acronis)

There is no offical statement to this from Zyxel till today. We did not know, how the NAS was hacked. Very bad customer service, this was my last product from this company !

There is possibility to install OpenMediaVault to the NAS. This will be also an option for the future.

Mijzelf · July 2

There is no offical statement to this from Zyxel till today. We did not know, how the NAS was hacked. Very bad customer service, this was my last product from this company !

Although I agree that ZyXEL could have said something about this malware, I think it's perfectly possible that ZyXEL also doesn't know which vulnerability is used to get in. There are no logs. The malware itself tries to hide itself, and how it got in. When you look at the releasenotes of ABAG.14, you see that some vulnerabilities are addressed:

[SI-1545][Issue 3-2] Privilege escalation vulnerability 2

[SI-1545][Issue 4] Remote code execution vulnerability

[SI-1545][Issue 5] Arbitrary file upload and remote code execution vulnerability

[SI-1545][Issue 6] Unauthenticated backdoor vulnerability

[SI-1545][Issue 7] Weak password generation for privileged user vulnerability

But I can imagine that not everything is addressed. Finding vulnerabilities is tough work. Yesterday it was announced that a vulnerability is found in openssh. The story reads like a detective novel. It has been there for years, and openssh is one of the best monitored software package in the world.

Simon01 · July 2

@Macace

Yes, I have a new fake user in my NAS542, but only one.

My NAS542 is configured with 3 x 4TB Hard Disks.

One of the 4TB Hard Disks are used/reserved to Raid 5, so actual there are 8TB useable.

When I observed the infected NAS542, I made a panic solution:

1 Power down NAS542 and switch main power OFF.

2 Open my networks router and close all ports there was used to external NAS access.

3 Power down all units on my local network

4 Restart NAS542

5 Login with iPad (More safe with apple ios iPad 17.5.1 ?)

6 When NAS542 login page shown, it was recommend firmware update, and I answered YES.

7 After update, checked user login, file names, (All save files extended xxx.encrypt)

8 Changed admin login password

9 Power NAS542 down, and go stand-by.

I guess it is a good idea to make a factory reset and then start on a default NAS542.

I am ready to change my Raid 5 setup to Raid 1 and then start with one Hard Disk only.

Is it possible to run a low-level format of the Hard Disks, with the NAS542 internal operation system / software? (Factory reset before and after HD format)

If not, I guess I would buy a new single hard disk, and make a factory reset.

Macace · July 3

Hello

LowLevel format is not possibel with the NAS at normal Way.

1. Remove all drives

2. Do a factory reset

3. Upgrade to the newest FW. ABAG.15

4. Insert only one Drive. All Data are not readable because it was from a Raid5, so in my Opinon it should be save enought.

5. Create a new Volume with that Drive.

Raid1 makes after this no sense for me. Create two or three single volumes with the three HDDs and use one of them for internal Backup.

Access from Outside to the NAS in the future only via VPN. (e.g. with Wireguard from the Fritzbox )

Macace · July 3

@Mijzelf:

You are more active in the forum than me. Are here also offical Zyxel workers, as in the past in the old forum?

A main problem from the NAS also is, there is no automatic warning possible, that the firmware is old and should be update. Which user look to this when his NAS works.

Btw the price for new the NAS542 sinks rapide in the moment…

lucirau · July 3

I don't have back-up for my files, do you know if it is a way to recover my documents? Tks.

Macace · July 4

I have a call with the company Kroll Ontrack.

They are specialist for such problems. No way, because it is the newer version of this ransomware.

The only way is, to pay and hope you become the key. 50:50 chance.

Mijzelf · July 4

@Macace

Are here also offical Zyxel workers, as in the past in the old forum?

Yes, but not often. You can recognize them on their nicknames starting with Zyxel_.

A main problem from the NAS also is, there is no automatic warning possible, that the firmware is old and should be update. Which user look to this when his NAS works.

What do you mean? A sonic alarm that a new firmware is available? E-mail? AFAIK the firmware warns you when a new firmware is available when you login on the webinterface. (Unless you switched off the automatic check).

And yes, the firmware is old. I suppose that is one of the reasons that a Zyxel costs half of what a corresponding Synology costs.

Macace · July 4

E-Mail Warning as Synology it do will be a good solution in my opinion.

Yes it costs half of a Synology, this was main reason to buy it, because the hardware power was near the same.

I will try to install OMV to one Zyxel. If this works good, that will be a possible soluition for a low cost system. The second cheap way is xpenology bare metal.

I have found some new Infos, when i read it correct, the problem was offical reported and a few days later the hackers have done it.

Here are the related infos:

https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/

https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/

ech0raix

All Replies

Categories

Consumer Product Help Center