Cr1ptT0r Ransomware

214 views
Skip to first unread message

Andy Johnson

unread,
May 23, 2020, 10:52:29 AM5/23/20
to Alt-F

Does anybody know if the Alt-F-1.0 (for the DNS-320) protects against the Cr1ptT0r Ransomware relating to the below security bulletin ?

 

https://www.dlink.com/en/security-bulletin/nas-ransomware

 

Thanks very much

Joao Cardoso

unread,
May 25, 2020, 8:55:47 PM5/25/20
to Alt-F
As far as I know it starts by exploiting some weakness of the D-Link webUI when it is exposed to the internet.
The Alt-F webUI is also exploitable in that way, so it SHOULD NOT be exposed to the internet, i.e., don't forward your router ports to the box exposing its webUI, not even if using https! https don't protect you from these kind of attacks.

I setup one DNS-320L, running the lighttpd webserver under Alt-F and serving only a static webpage, and exposed it to the internet using the standard http and https ports. From the web logs, the number of automated attacks that it suffers is incredible. Some of the attacks are directed to the know D-Link webUI weakness. The attacks started only a few minutes after exposing it, so don't do that.

Treat you box as you treat your wallet on a crowded subway metro station: tightly. 


João Cardoso

unread,
Jun 19, 2020, 1:02:13 PM6/19/20
to Alt-F


On Tuesday, 26 May 2020 01:55:47 UTC+1, Joao Cardoso wrote:


On Saturday, May 23, 2020 at 3:52:29 PM UTC+1, Andy Johnson wrote:

Does anybody know if the Alt-F-1.0 (for the DNS-320) protects against the Cr1ptT0r Ransomware relating to the below security bulletin ?

 

https://www.dlink.com/en/security-bulletin/nas-ransomware

 

Thanks very much


As far as I know it starts by exploiting some weakness of the D-Link webUI when it is exposed to the internet.
The Alt-F webUI is also exploitable in that way,

To clarify, the Alt-F webUI has the same kind of weakness as the DNS-320 (and others) webUI, but they are not exploitable by the same automated/robotized attacks. If however a burglar decides to invest some time and effort to break into it, it will succeed.

Nicolas Desveaux

unread,
Jun 19, 2020, 1:44:29 PM6/19/20
to al...@googlegroups.com
Joao has said it over and over,

Do not expose the Dlink NAS to the internet.. maybe you can get away with a bastion + reverse proxy but never do a simple port forwarding
In fact do that for all services you want to access from outside your network

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/alt-f/d483ba00-2bd2-4e10-a038-f5291b5e8f7ao%40googlegroups.com.

Goydo

unread,
Jun 20, 2020, 4:04:44 AM6/20/20
to al...@googlegroups.com
I confirm, still 60Gb crypted but nothing really important.
Since I am nervous if the DNS gets louder.

Mit freundlichem Gruss
Guido Flock


To view this discussion on the web visit https://groups.google.com/d/msgid/alt-f/CAExjjHLJBcBAZ_gRZOqQO%2Bkqb_E7pXLumitzcWw7B9GuLr0oWw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages