Before a new piece of malware gets discovered, added to the appropriate databases, detected and removed, there’s always some poor schmuck who’s machine was already infected. This week, I was that poor schmuck.
Last friday, a couple of system crashes indicated that something was wrong with the NAS device in my office. I soon found that its malware removal tool had detected something suspicious, so I contacted the manufacturer’s support desk.
Using their remote assistance tool, they accessed the NAS and found a hitherto unknown piece of malware. It had already been partially removed, but I was asked to take some additional steps to further secure the NAS just in case.
Interestingly, the malware seemed to be looking for crypto wallets on my NAS’s data partition. Equally interesting is that the attacker appears to have used the manufacturer’s DDNS service (to them essentially a directory of possible targets?).
Here are my take-aways.
- If you do not absolutely need access to a computer from outside your local network, disable remote access.
- Minimize attack surface by disabling services you don’t need, and uninstalling applications you’re not using. In this case, the exploit used an app installed on the NAS as its point of entry.
- DDNS services are convenient for hackers too.
All in all, the manufacturer’s support staff handled this excellently, and proactively. To me, this was a reminder of how you can do everything right, be security-minded, and still have your machines get hacked. Luckily, there was no damage to my data, and nothing appears to have been taken.