NFS/SMB and ransomware
Michael Butash
michael at butash.net
Sun Jun 13 19:16:21 MST 2021
inline:
On Sun, Jun 13, 2021 at 5:40 PM Steve B via PLUG-discuss <
plug-discuss at lists.phxlinux.org> wrote:
> Looking for some information regarding networked file systems and
> ransomware. If my understanding is correct, should a PC get infected with
> ransomware it can search out and encrypt NFS and SMB shares.
>
Anything mounted current at point of infection is an obvious target,
anything else it can find and attached to a plus. Scanning for
tcp/111/2049 for nfs and tcp/139/445 for smb/cifs finds the honeypots once
on-lan.
> Would it be correct to assume that in order to encrypt an NFS or SMB share
> they would have to be online? If the device on which the network file
> system was located were powered off, could it be woken via a WOL command
> and then encrypted?
>
Online and have credentials to connect to it, yes. They could WOL in
theory, but probably no one bothers with this. Enterprises tend to segment
and defeat most WOL features requiring directed broadcasts by default
(usually specific configs, particularly cisco), but SOHO lans perhaps with
other crap like apple and dlna multicast. Who actually ever powers off a
server, unless a responsible cloud-first company?
> I currently have a TrueNAS machine that houses all my media and is also my
> Plex server. It also has an NFS share to which I backup as needed. In
> addition I have a Synology NAS to which I have a backup copy of the TrueNAS
> server.
>
If they can 1) connect to the nfs/smb port, 2) authenticate, and 3) get
write permissions, they'll first download what they can, then encrypt it
Simple as that. Network segmentation and proper firewall rules in theory
prevent #1 there; strong creds, random rotation, 2fa prevents #2, file
perms, fsacls, apparmor/selinux prevent #3. Sadly there still isn't much
decent av/edr software out there for linux, but 98% of crims target windoze
and apple luckily as the low-hanging fruit.
Don't expose any storage appliance or otherwise IOT-thingy to the internet
via port-forwards from your internet router, upnp, or other. Just. Do.
Not.
---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20210613/3fe6e3ed/attachment.html>
More information about the PLUG-discuss
mailing list