A Hacker Gang is Wiping Lenovo NAS Devices and Asking for Ransoms

A hacker group going by the name of 'Cl0ud SecuritY' is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back. From a report: Attacks have been happening for at least a month, according to entries on BitcoinAbuse, a web portal where users can report Bitcoin addresses abused in ransomware, extortions, cybercrime, and other online scams. Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password. ZDNet was able to identify around 1,000 such devices using a Shodan search.

Color me shocked

[jonwil]

If you connect a device to the internet with no password, its vulnerable to hackers.

The lesson to anyone who owns one of these is to set a password on the thing (or better yet, don't connect it to the open internet in the first place)

Re:

[Presence Eternal]

Very true, although I think the summary may be talking about an IPMI exploit, not the database interface itself. I'm not sure one even has to interact with it and could set up an otherwise highly secure database without knowing it's there or how broken they can be.

The one on my NAS motherboard has a lot of elements that don't even work anymore because of old javascript and expired certificates that I'm not allowed to bypass in a modern browser because fuck me.

Related reading on the topic

[Presence Eternal]

https://www.itworld.com/articl... [itworld.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cusco]

If you look around there are a few Portable Apps installs of some older browsers available that might work. Unfortunately Portable Apps doesn't keep around archive versions of their apps, just the latest and greatest, so it may take some searching. I have an old Portable Firefox version that I use occasionally. There are a few ancient security cameras that won't work in modern browsers, and if we need to configure them I can fire it up and still get at them. Fortunately they're scheduled to go away this

Re:

[kingbilly]

TP-Link "business" routers are related to your second paragraph too. They only support TLS 1.0 which is going to be dropped from all major browsers shortly. How the hell they couldn't be bothered to add TLS 1.2 which has been in use for many years, after all this time, I don't even...

We just bought a backup router from them about 14 months ago. When I reported the TLS situation 6 months ago, they updated their website listing for the product to include "End of Life" over the product image. Nice.

Re:Color me shocked

[BringsApples]

The term "hack" came from a form of entry whereby one would hack the door down, piece by piece. I don't really know that anyone knows that anymore. So, if the door is either unlocked, ajar or completely wide open, walking thru it certainly wouldn't constitute a "hack". For the same reasoning, leaving your goddamned file server on the internet with no password is leaving it wide open, and there is no "hack" to gain access. It's just like when you reach out to an IP address on port 80, and there's a web server that responds. You don't count that as a hack. WTF is this bullshit article?

Oh, posted by "msmash". Never mind.

Re:

[ChrisMaple]

The meaning of hack is broader than that, and always has been. It derives from old middle English, meaning to cut crudely, as with an axe. (Oxford Universal Dictionary)

Re:

[BringsApples]

Yes, you're correctly saying the same thing that I'm saying. It literally means to chop your way through the thing that's in your way (a 'brute-foce attack" means the same thing, with the added bonus of a certain amount of 'recklessness' being involved, too). I assume that you share in my point that if there's nothing in your way, then there can be no hacking.

Re:

[Flabby Boohoo]

Shut up.

Re:

[BringsApples]

you mad, bro?

Re:

[gweihir]

If you connect a device to the internet with no password, its vulnerable to hackers.

The lesson to anyone who owns one of these is to set a password on the thing (or better yet, don't connect it to the open internet in the first place)

For variable Values of "hackers". These people seem to be script-kiddies going after the the low-hanging fruit or rather the windfall. It is like those attacked left their data lying around somewhere on the street.

LOL

[phantomfive]

Never put your database on the open web. Security is not the primary focus of database developers.

Use a firewall, this is a hacking problem you can prevent 100%. It should never happen to you.

It's a hard drive, but your point stands

[raymorris]

FYI NAS stands for Network Attached Storage. It's an external hard drive with an Ethernet port. Still, your point stands.

    Don't connect ANYTHING to the internet without a strong passphrase or key, and don't connect anything to the internet thay doesn't need to be connected to the internet, and if it does need to be connected to the internet don't enable the admin interface on the internet side.

Ps don't connect before patching

[raymorris]

Also:

Don't connect anything to the internet before installing the latest security updates.

The mean time to compromise for unpatched Windows instances on AWS is measured in MINUTES.

Re:

[Anonymous Coward]

Luckily the mean time to compromise for patched Windows instances is HOURS.

Whew.

Re:

[AmiMoJo]

Good password isn't enough, you can't trust the firmware not to have vulnerabilities. The only decent solution is to lock it away behind a firewall and VPN in if you need to.

Re:

[raymorris]

While in the specific case of this particular type of NAS I can't see much reason to expose one on the internet with anything but read access, more generally:

As you typed that, you were probably using a device that is MUCH more likely to have bad vulnerabilities, and you connect it directly to the internet every day.

Further, you were using a file server directly connected to the internet with no VPN, with WRITE access enabled on the internet.

If people followed your rules generally, we wouldn't have Slashdot

Re:

[pnutjam]

Bullshit, my phone has no open tcp ports. It is behind a firewall. My wifi has a firewall and the cellular network provider runs a NAT as well. Ports are not wide open.

Re:

[raymorris]

> cellular network provider runs a NAT

Repeat after me:
NAT is not a firewall.

NAT kinda accidentally sometimes has one of the effects that a firewall has, sometimes. NAT is not a replacement for a firewall.

Ransom?

[fahrbot-bot]

Or reward? They're Lenovo systems, surely they're purging a bunch of bloat/spyware and if they'll also scrub off Windows and install/configure Linux or BSD, then ... sounds like a service.

Re:

[youngone]

They are Iomega NAS boxes, so might not be running Windows at all.
They might be something like this. [amazon.com] Because it is from Iomega it will be insecure by design and all support will end the minute you buy one. They are also "cloud" devices, so probably have to phone home somehow to continue working, hence the hack.

On a more positive note, the drives will fail really quickly, so you will lose all your data without being hacked. Them you will throw your Iomega piece of shit in the recycling bin and buy somet

Re:

[thegarbz]

Can I honestly ask WTF you guys expect from users?

User: I use Onedrive it came with my account.
Nerd: Don't use something for free. You get what you pay for, your data could be gone at any moment.
User: I pay for a Cloud data storage server.
Nerd: That's trusting someone else's computer man. You should host your own stuff.
User: Fine, I bought my own NAS with cloud features. But now I have problems and got hacked.
Nerd: That's good you deserve to be hacked for being a stupid user rather than some superior higher

Re:

[bill_mcgonigle]

We expect NAS vendors to require a user to set up some kind of security (password, acl, cert, etc) before the device works as a NAS.

Vendors are cheap and lazy and won't even bother to write a basic installer.
They externalize the costs by orders of magnitude onto their hapless user base.

Tyranny of the defaults.

Re:

[thegarbz]

We expect NAS vendors

Yes we do, but that has nothing to do with the GP's claim that we're somehow doing a consumer a service for messing up a device they bought because they were put down a path the nerdy among us set them on.

If NAS's are so bad, then it's up to us to go back to recommending people use "someone else's computer" and recognise that staying away from the cloud is not something that is in the best interest of consumers. We can't have it all ways.

These guys are smart

[mamba-mamba]

They are only asking 200 bucks. They are smart. To be honest, I would almost say it is a fair price for network security consulting. Except that since it is non-consensual, it can't be considered fair.

It's a fee for being a dumbass, basically

[Rick Schumann]

Put your NAS on the internet without a password/with a default password? Who does that? Dumbasses.
It's so simple a scam and they're asking so little. Five bucks says it's some script-kiddies.

Re:It's a fee for being a dumbass, basically

[BenJeremy]

That's not what is happening.

This issue has been going on for the past year, and there is an update to fix the problem.

The problem is that if you expose the system's "personal cloud" software to the internet through your router, there was some sort of exploit that allowed hackers to erase files and write files. They cannot read files. It isn't a "default login/password" issue. Hackers wipe out the drive, and leave a ransom note to scam people into giving them money to "recover" files that are simply gone.

If you update to the May 2020 firmware, or simply never enable the "Personal Cloud" feature - or never expose that feature to the internet, there is no issue with hackers.

Re:

[Rick Schumann]

Ah, I see. That is different.
'The Cloud' is a joke anyway. So it's still a dumbass fee if you enabled that, then. xD

Manufacturers just make it too easy.

[AxisOfPleasure]

The problem is that so many people are just buying tech, plugging into their routers as the instructions tell them. The basic setup usually asks for a change of password to the admin account and that's all the guidance people ever get. It doesn't tell to patch regularly, it's doesn't tell or even order them to cycle passwords, let alone any mention of 2FA through a phone app. Nothing.

Get a copy of nmap and just scan the local subnet "outside your frontdoor" and within 60 seconds you'll find way too many devices just plugged in with default settings ripe for the picking.

Re:Manufacturers just make it too easy.

[gweihir]

The problem is that so many people are just buying tech, plugging into their routers as the instructions tell them. The basic setup usually asks for a change of password to the admin account and that's all the guidance people ever get.

Well, from the article, these people did not even do the password change. And worse, people are doping the same stupid thing with cloud storage containers that they are going to put privacy relevant data on in a commercial context. Quite a bit of "professional IT" seems to be on cretin-level these days.

Iomega?

[rundgong]

Iomega? That's a name I haven't heard in a while.

Does anyone know if my Zip drive is vulnerable?

Re:

[Joe2020]

Does anyone know if my Zip drive is vulnerable?

No ... Unless your Zip drive has got an ethernet port or a wifi/bluetooth adapter builtin?!

Lenovo NASes suck, I have tried them in the past

[Your Average Joe]

These devices suck, if they put more RAM and FLASH on them they would be something that might be used with an alternate OS. If they were not soldered on a PCB they would also have a second life.