Nextcry? Encrypted all files through my instance

@tanghus the most important quote and advice so far: :wink:

2 Likes

All those have updates. So just upgrade, go to apps and update the apps.

They probably updated the article and added new information. The ransomware is looking for config/config.php and reads the datadirectory from there. Sounds like server to me.

A post was split to a new topic: After Update to NC17 plain text editor missing

Because it appears the nextcloud team wasn’t contacted at all regarding this issue until after the article went public.

Because there are no open github issues related to this under the server branch.

Because it appears none of the major nextcloud providers have been hit with it. A random no-name nextcloud install got hit while people who can actually pay the ransom fee have not.

Because how the server actually gets exploited is not posted anywhere on the article or in the forum linked on the article, despite claiming to have the python script in full.

As pointed out above the exploit appears to be able to read the config file and directories, but once again we don’t know how this exploit works.

This exploit was originally posted on their forum on November 9th. That was a week ago! Nobody has heard anything since and the nextcloud developers were never contacted!

Call me skeptical but I doubt this is a nextcloud issue.

3 Likes

This - it was definitely server-side. I had no Windows apps loaded. In response to my earlier comments, as far as I can see it was most likely down to the PHP-FPM CVE with the NGINX config after checking versions.

@Paradox55 The URL that was obfuscated is just the index.php file. It was the same for me when I visited the address, they replace it with the “Pay me bitcoin” index.

As others have said, because of the exploit it then targets the config.php file to read where the data is stored and goes from there it seems.

@ialexpw Does your setup show any warnings under Administration > Overview, at https://scan.nextcloud.com/, or at https://observatory.mozilla.org/?

Unfortunately I cannot check it as I no longer have my instance running. I took a snapshot just in case and then destroyed it.

Hmm. Well in any case, I would advise to run all of those tests regularly. I usually do it after each time I update the system which is usually a couple times a month.

Good Morning, regardless of the development of the story. It’s a good argument to patch your NC to current version, do the same with your Linux underneath and to run your exposed Cloud behind an IDS/IPS firewall (e.g. ipfire.org). At least you should have libapache2-modsecurity installed and running with general rules against portscanners and brute-forcing stuff.

I would like to see more of the logs for this kind of attack so we could create own modsecurity rules against this.

2 Likes

Is there a good ruleset for Modsecurity? Back at owncloud, they started but it isn’t maintained (GitHub - owncloud-archive/mod_security: Repository for example configurations).

1 Like

As foundation this should work fine: https://coreruleset.org/
For myself I am adding custom rulesets, depending on used web application.
As far as I know there are no specials rulesets for Nextcloud.

Would be great to revive this old project for Nextcloud.

It might be better to deny all but access to index.php and remote.php?

Just for the record, our current understanding is that the servers (both known cases) were entered via the NGINX + PHP_FPM security issue we blogged about 3 weeks ago (october 24th):

We are still trying to completely verify this, but that is only possible once one of the 2 affected instances can provide us with usable access-log files.

FYI, this article has just been posted at Heise Security:

Sadly Heise didn’t notice the original bleeping computer article was updated with our response:

We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.

While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.

Let me add:

PHP bug report: PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE
Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

So the “task” of the hacker was:

  1. read our blog
  2. find Nextcloud servers
  3. Try to execute the exploit of php_fpm+nginx

The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future…
Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.

Bleepingcomputer noted about the bitcoin wallet:

no transactions have been recorded until now

6 Likes

@jospoortvliet Eventually it would be worse to contact the author of the article to get the missing information added. As you know the c’t magazine is an IT reference and most articles will be published in the printed medium too :wink:

I’ll try. Also, we did put the statement in a blog:

Of course, in the end, it is a non-story about how somebody tried and failed to exploit Nc servers, finding out our users are awesome at keeping their servers up-to-date. At least I think that a hit rate of 2 out of 300.000 is pretty good for an issue we warned about 3 weeks ago, compare that to how many Windows systems still get taken over with bugs that are years old, known and patched :wink:

So pat yourself on the back, dear Nextcloud users! :clap: :clap: :clap: :clap: :partying_face:

I’m still sorry for the two users who got hit, it is of course super frustrating and I hope neither really lost any data. Shows the importance of backups, for sure… Even if Nextcloud would be perfectly secure your server can still be hacked through issues in other parts of the server, like the webserver, kernel and so on. Sad reality :cry:

This is of course also why we have the ‘server checks’ that try to find non-Nextcloud issues in your server, same with the security scanner. Use them! :dark_sunglasses:

3 Likes

Speaking about Heise and Reference, Heise was a reference. This article clearly shows the lack of quality. For many years I do not buy anything from them.

They pretty much only referenced the Beepingcomputer article, not any substantial additional information except a translation into German basically. Is Heise now a translation service only? No deep digging into the issues anymore? Maybe trying to find the instances affected and investigating a bit like good investigative journalists would do?

Sad to see what became of them.

2 Likes