MariaDB/MySQL security breach - hijacked ransomware

[krunchynug8]

This was installed from the official Asustor App Central.
I just updated the MariaDB app this morning and was greeted with this message.
Ransom demand to release my database in PHPMYAdmin. My databases were deleted.

I don't believe how blatantly this happened. <strike>How did they get access to the official Asustor App Central to inject this?</strike>

Annotation 2020-06-11 102643.jpg (166.51 KiB) Viewed 6506 times

Annotation 2020-06-11 102717.jpg (97.34 KiB) Viewed 6506 times

2020-06-11-11-06-www.asustor.com.png (942.48 KiB) Viewed 6506 times

{-------------------UPDATE----------------------}
Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201

I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.

Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack

It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I believe the APP Central was not to blame for this.
If the admins decide to take this post down. By all means please do.

[krunchynug8]

Link to the infected app uploaded online.
MariaDB v10.0.28.r28 uploaded 2020-06-10

https://send.firefox.com/download/820f4 ... QLfoT4q7iQ

[ilike2burnthing]

What makes you think that the issue is on Asustor's end and not yours?

Your version is the same as available from Asustor, which clears VirusTotal and Hybrid Analysis scans (ignoring the broken MetaDefender results). That doesn't mean it's not malicious of course, just raises a lot of doubt.

[krunchynug8]

For one I installed it from the official Asustor App Central.
Second it is also showing up on the oficial Asustor Website. the previous version was r21.
Third you can install it from your App Central and find out or you could check if r28 shows up in your App Central and report here.

Also I think it is a modified copy of the database and not a script or batch or virus that it will be detected in virus scans. It is way too simple to be detected as a virus.
How do you suggest the issue is on my end? Because I did not side load this app or upload it from an unofficial source.
My database was perfect before updating.
I am just trying to warn everyone so that no one else gets their databases destroyed.

[orion]

WOW!
You do not enable MariaDB remote access (same as me). Did you enable ADM access from internet? If yes, someone can guess your admin's password to hijack your NAS.

[krunchynug8]

Yes my remote access is always switched off for MariaDB and yes remote ADM access is turned on.
I have regular root account turned off and use my custom username and have firewall setup to block access from all regions except Australia.
Just checked my connection logs nothing suspicious there.

Also can someone get me the previous APK r21 so that I can get MariaDB back up and running and remove this new infected app.

[ilike2burnthing]

None of those facts preclude the chance that the issue is on your end though. Don't get me wrong, it could be that Asustor was hacked, or some disgruntled employee did it, I just kinda doubt it.

Previous version - http://appdownload.asustor.com/0010_999 ... x86-64.apk (this may get updated automatically though)

You can see all apps here - http://appdownload.asustor.com/

As Orion said, it could be that someone gained access to your NAS or account. Have you checked - https://haveibeenpwned.com/ ? Granted, that's not the only way for your details to end up in the hands of someone who means you harm.

It could also be due to an insecure network or NAS setup, though your last comment suggests not the latter, and the former is very unlikely.

Have you run a variety of malware scans on all local devices?

[krunchynug8]

You are right. It might be on my end. I am doing some following up on my end. Erased the ransom entry from my database.
Installed r28 and logged in that entry was not recreated.
I am running scans to see if I come up with anything.

Will keep you posted.
Thanks

[krunchynug8]

Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201

I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.

Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack

It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I'll add an UPDATE to post no 1

[ilike2burnthing]

Glad you found the issue. Hopefully nothing irreparable was lost and nothing sensitive was breached.