Wednesday, April 28, 2021

Hackers


It's been a hectic few days for me. I discovered on Monday that my NAS drive (where I archive old documents, photo's and music) had been hacked and that the hackers had managed to upload a modified version of a utility program (7zip) which ran through all of my files and encrypted them! Of course I don't know the key to unlock them and so they're effectively useless, it's called a ransomware attack, i.e. they're holding your data to ransom. To get the "key" I'm supposed to upload 0.01 bitcoins ($500) to a dodgy web site on the Tor network and when I do that I'll be shown the password to unlock the files. Of course there's absolutely no way I'm going to pay, that just encourages these scumbags to do this kind of thing even more and is effectively encouraging crime IMO.

For those not IT savvy a NAS drive is simply a mass storage device that allows you to store lots of stuff and have it protected from disk failure, the device supports multiple redundant disk-drives (RAID) so if one fails the remaining drives have enough information on them to rebuild the failed drive including all it's data.  Now, all I use this device for is storage but over the years the manufacturers of these kinds of devices have loaded them up with crappy software that attempts to lure people into spending more money. Things like media servers, backup software, games, cloud services, development tools, web servers and the like are pre-loaded whether you want them or not. The vulnerability that these particular hackers exploited turns out to be one of these crappy backup tools which I never actually wanted nor used, my only errors were firstly, not getting rid of all the crap software before using the device and secondly, allowing the NAS drive to be exposed to the internet, although the latter is quite useful as it allows remote administration (which is why I did it) My normal firewall rules were quite sufficient to shield the device from conventional internet attacks but once you have a backdoor into something already running behind the firewall, as this crappy backup utility apparently was, then you're screwed. Moral of the story, wipe all the crappy, unnecessary software off of devices you buy before you use them and keep archive drives hidden behind a VPN or similar barrier.

Fortunately it's not a total loss since I have other copies of most files (albeit slightly old) elsewhere and not everything was encrypted, larger files seem to have been skipped so it's mostly recent photo's and documents. I have a couple of options to try in order to get these files back; at the moment I'm using a cluster of servers and some custom software to perform a brute force attack on the password, essentially that means trying millions of variations of password at the rate of about 100,000 per second, it's been running for several days now but hasn't cracked it. I'm not confident that this approach will work, the passwords are 32 characters in length and the number of possible permutations are well in excess of the number of atoms in the universe, but I'm banking on the developers of this hack being lazy and using a GUID as a password. GUIDs are an automatically generated base16 (Hex) number key set which limits the possible password characters to A-F and 0-9, significantly reducing the possibilities. My second line of attack, which is much more feasible, is to write some software that extracts data raw off the surface of the disk drives themselves, bypassing the operating system. The way computers work is that when you delete (or replace) a file (i.e. by encrypting it) the old version is usually still lurking around on the disk somewhere, it's directory entry is simply removed rendering it invisible to most normal software tools. However, if you can read the physical drives directly (which is possible) you can scrape off the old versions of most of the files, I've got a prototype of this kind of thing working but it's too slow, so I need to scale it up, a bit of multithreading (running things in parallel) should do the trick, even then it'll take all night to run. Hopefully that'll get back most of the files but it's a bit hit and miss and they'll be in a right mess afterwards, i.e. none of the original names will be maintained and some may be corrupted.

Next steps are to trash the NAS drive (it's going on the fire!), clearly these devices are now a target for hackers and scams, and are effectively a serious weakness in any network if exposed to the outside world. It's all because of hardware vendors and their crappy spam-ware, consumers should no longer have any confidence in their products until they sort this out (main vendors are QNAP and Synology). I'm switching to cloud storage (which I already use for other things) for all my archiving needs, it's pretty cheap these days and hopefully a little more robust.


No comments: