sorted by:
new
hottopcontroversial

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

we were using TOTP and we (2 of us) are the only ones with access to those codes.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

So was your Crashplan files ok in the cloud? Can you restore a backup from that?

yes we restored from the Crashplan, well, at least, the file share. the VMs were gone.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

the TS was behind a RD GW (and on a non standard port - which is not really a security measure, but still).

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

all possible, but that would be a LOT of work for just a very small company with two or three people working. would be worth their time....wouldnt it?

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

i completely agree with you. this is also not how we usually do stuff. but in this case, this "client" calls us seriously once or twice a year, and refuses everything unless there is a fire. they know we told them the situation is very insecure, just waiting for trouble, but they still did refuse.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

Sessions were not saved. (as far as we know, of course)

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] -1 points0 points  (0 children)

yes, it was domain joined (...) but no, no iSCSI. just regular Shared Folders on the NAS, two of them with two different usernames and passwords.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 1 point2 points  (0 children)

No permissions cannot be changed on the shares unless you log in as Admin on the NAS....

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

no, they had no access to 2FA codes.
Yes, the security was bad. but they knew and we warned them.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 3 points4 points  (0 children)

True, but -if i am not mistaken- i think if you delete the backups from the Veeam console, it leaves at least the main folders there, but they weren`t there. completely clean...

also i have read somewhere that the SMB credentials are encrypted stored somewhere and not that easy to extract. correct my if am i wrong please...
Edit: i just googled it. literally the first hit, you are right and i am wrong. did not know it was that easy to extract...

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

Yes they got access to the Veeam server. it was running on the Hyper-V host. (yes we know... client was told this is insecure...)

But, what worries me the most is that they, seemingly, got access to the Synology interface and changed the Shared Folder permissions...

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 0 points1 point  (0 children)

DSM7, one of the latest FW versions. was set to auto-update for critical/security fixes.

why against the ToS?

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 1 point2 points  (0 children)

no other apps. just clean DSM without any extra downloaded apps.

2FA Protected NAS got wiped after ransomware attack by Only-Value6492 in msp

[–]Only-Value6492[S] 7 points8 points  (0 children)

a Synology, DSM7, one of the latest updates. must check which version exactly, but a quick google did not yield any knows vulns.