Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.
Something has gone through and encrypted everything and asking for crypto to unlock. Luckily I have everything backed up, so not a huge deal, but just a warning.
The message on the homepage changes to;
“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM - SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”
Well sorry to hear, but I don’t think that this happened through Nextcloud.
Reading up on Nextcry, it seems to be a ransomware mostly affecting windows systems.
So it reached your server when someone logged into it via a windows computer that was affected.
No, the contact form is not the correct place. As per the autoreply:
You have sent an email to security@nextcloud.com. This mailbox is not being monitored and mails are being dropped.
If you have discovered a security issue, please get into contact with us at https://hackerone.com/nextcloud.
To learn more about our security policies and processes, please visit Security in Nextcloud.
Apologies, but this is not caused from a Windows PC. I have not had one connected to it (only at the beginning a while back, at least 5-6 months, to seed the files). From reading into the other thread it seems to be based on a Python script, meaning that it couldn’t have gone through my Windows PC back then also.
You could be thinking of Wannacry? Which was well known to spread through Windows systems.
So. First of all. This kind of stuff is exactly why you have a backup. Good for you.
We have not heard of this before. However, we are unaware of any exploits in Nextcloud to have remote code execution.
So if you could go trough your access logs to find out what was going on please do.
Someting that comes to mind. Are you by any chance running NGINX with our outdated config and an outdate php-fpm?
That article on Bleeping Computer sounds as though the ransomware targets client computers running the sync client, rather than the server itself. However having the server “locked via SSH” (meaning server OS user passwords changed?) would suggest otherwise.
Is the nginx vulnerability being involved just speculative at this point, or does that seem like a likely culprit?
In the interest of attack surface reduction, I’ll share a couple other things I’ve done to harden my system. I run a dummy site that’s returned if the wrong/no SNI is used so random scans are less likely to ever reveal the Nextcloud instance. I also block all connections to it from non-ARIN addresses. That in particular drastically reduced the amount of random access I get. Also, it probably goes without saying, but there is no outside SSH access Or any other sort of remote control to the system. If you must have remote console access, strictly use a VPN.
If the infiltration point really is on the server, those measures will go a long way to help reduce potential exposure.
