Update: Asustor - How to Eliminate Deadbolt From NAS DevicesASUS Subsidiary Is the Second NAS Devices Firm Targeted by Group
Technology giant ASUS subsidiary Asustor, which specializes in Network-attached storage devices, has been targeted by ransomware strain Deadbolt.
As customer complaints filled up the company's public forum on Thursday, it issued basic Deadbolt malware mitigation and prevention guidance for all NAS device users. On Friday, Jack Lu, marketing manager for Asustor, told Information Security Media Group that the company has now published step-by-step guidance to help users completely eliminate the Deadbolt ransomware from affected NAS devices. The affected devices are detailed later below.
⚠Deadbolt Elimination Steps— ASUSTOR (@ASUSTOR) February 25, 2022
In response to Deadbolt affecting ASUSTOR devices, ASUSTOR has formulated articles that help customers eliminate the ransomware from affected NAS. Please click the link below to learn more about how to attempt data recovery.https://t.co/rzgYSFsj4J pic.twitter.com/ikjwbux43Y
The company temporarily took down some of its services, including Asustor EZ-Connect, Asustor EZ Sync, and ezconnect[.]to, to prevent further spread of the ransomware, according to its tweet.
In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and https://t.co/611WXOUsOE will be disabled as the issue is investigated.— ASUSTOR (@ASUSTOR) February 22, 2022
For your protection, we recommend the following link below:https://t.co/FbkXKPUCYi pic.twitter.com/fEQQWUNiC1
"We are still trying our best to address the issue," Lu tells ISMG, adding that Asustor's knowledge base contains updated information on combating Deadbolt.
He did not respond to queries about whether all NAS devices in Asustor's product suite were affected, what the exploited vulnerability was, and if a fix had been devised for the vulnerability, along with a timeline for rollout.
In an email to Information Security Media Group, Satya Gupta, CTO at Virsec, said the initial infiltration was through CVE 2021-44142, which is a heap-based buffer error remote code execution vulnerability in the open-source Samba server that Asustor and many other NAS use.
The ransomware-affected "Asustor devices that are internet exposed and running ADM operating systems include, but are not limited to, the following models: AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, AS1104T," an advisory from the New Zealand Computer Emergency Response Team says.
Steps for Elimination of Deadbolt
Asustor advises affected users to follow the following steps:
- Step 1: If the system has been shut down, connect it to a network and enter the initialization page. If the system is actively connected to the internet, press next and proceed further by selecting a live update for your Asustor Data Master - or ADM - OS.
- Step 2: If the system is not connected to the internet, download the ADM OS from ASUSTOR Downloads to your computer and select the manual update option. Hit next to continue.
- Step 3: Complete the update. This will allow the user to return to the ADM.
Despite this, if users continue to see the ransomware page after connecting to a network, Asustor says that they should turn off the NAS, remove all hard drives and reboot. Once the initialization page appears, it recommends reinserting the hard drives and following the above three steps again to update the NAS.
The company has also shared guidance to its customers on restoring data to the previous versions through MyArchive drives and Snapshot Center, and correspondingly erase changes done by ransomware. In its knowledge base article, the company has shared guidelines for users who have not taken regular backups and wish to retrieve lost data by entering a decryption key.
In another knowledge base document, Asustor recommends the following preventive measures:
- Change all default ports. This includes the default NAS web access ports 8000 and 8001 as well as remote web access ports 80 and 443;./li>
- Disable EZ-Connect service that is used for remote access.
- Immediately take a backup of the data in the device.
- Disable all Terminal/SSH and SFTP services.
CERT NZ also recommends keeping NAS devices away from the internet, "particularly the web interface or file shares."
If the device is not affected by the ransomware, administrators must "update the operating system and all installed add-ons," it says, but it adds that updates must not be made until the devices are "clean of ransomware."
CERT NZ says the command
sudo find / -type f -name "*.deadbolt", will help users determine whether their system has been affected by the Deadbolt ransomware strain. The command will find all files with the .deadbolt extensions on your system.
In a separate post on its public forum, Asustor recommends the following steps for those affected by the ransomware:
- Unplug the Ethernet network cable.
- Power down your NAS safely by pressing and holding the power button for three seconds.
- Do not initialize your NAS as this can erase the data on it.
- Fill out a form and wait for Asustor's technicians to share a solution for the issue.
As the process is time-consuming and likely a burden on the support team, an Asustor user by the pseudonym "billsargent" suggests the following temporary steps to get back into the portal:
- Take the NAS off the EZ-connect and block all its incoming traffic from outside.
- Overwrite the 'index.cgi' on your own. You will find a backup copy of your index in /usr/webman/portal.
- To remove Deadbolt's index copy, the user says to use the command
chattr -i index.cgiand replace it with the backup. "But you'll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers. This is probably not possible to fix without a reset but you can get back into your portal with the above info," the user says.
Explaining the code to another user who had not previously used a Linux command-line interface, billsargent says: "Assuming you have SSH capabilities, you just need to SSH In and login as root and run these commands. This should help you get back into the portal."
An ongoing analysis on the index.cgi created by the ransomware strain showed a text script, according to billsargent.
"I've pulled out a ton of LTO tapes to back up my data. I think this is going to require a full reset. I hope Asustor releases a fix for this but I will never again allow my NAS to have outside access again," he says.
Decryptor Available, But …
In January, NAS device provider QNAP was targeted by the same ransomware strain. (see: New Ransomware Deadbolt Targets QNAP Devices).
The ransom note discovered in the QNAP campaign was similar to the one used in the current campaign. Both notes direct affected users to make a payment of 0.03 bitcoins - around $1,096 - to a specified address. The address is different for each campaign.
"Once the payment has been made, we'll follow up with a transaction to the same address - this transaction will include the decryption key as part of the transaction details," the note says.
Cybersecurity company Emsisoft says that it has a decryptor for the Deadbolt ransomware strain but it would work only if QNAP customers use it alongside the 32-character decryption key obtained after paying the ransomware operators.
Emsisoft did not immediately respond to ISMG's request for comments on whether the same decryptor would work for Asustor devices affected by Deadbolt as well.
Regarding mitigation, Gupta says, the company has recommended six main remediation steps:
- Change default admin account settings.
- Ensure code is patched.
- Enable ADM Defender, which protects against brute force login attempts.
- Disable unnecessary services.
- Avoid using preset network ports.
- Use the NAS in HTTPS mode rather than HTTP mode.
"These recommendations fall into good hygiene class but don’t really help mitigate the vulnerability described above. An attacker who knows how to exploit this vulnerability will be able to infiltrate the said NAS," Gupta says. He says customers should deploy a security control that offers deterministic protection.
According to Gupta, the attacker followed a series of steps that are best described via the kill chain shown below.
Gupta says an open vulnerability in the workload is a major attack vector. "Once the attacker has found a workload that is vulnerable," he says, "they will dispatch a malicious payload ... [that] will facilitate the attacker gaining the ability to execute arbitrary code on the victim."
At that point, Gupta says, the attacker can launch malicious code on the victim. That is why an attack must be stopped very early using deterministic methods that do not fail, he says.
Gupta also describes another major attack vector, which involves gaining illegal access to the workload using stolen credentials. It allows the attacker to execute arbitrary code on the victim workload and run malicious code, he says. To stop this, "the security control must ensure only such code that the enterprise intends to run on the said workload, is allowed to run," according to Gupta.