Problem description
Trigger conditions
1. Customers use the storage devices OceanStor 18000 V1, 18000 V3 and 18000 V5 series (in the three series, SVP built-in Windows is involved in this risk), BC&DR Solution and OceanStor Backup Solution.
2. The storage devices involved in the risk connect to insecure networks.
Identification method
For the OceanStor 18000 V1, 18000 V3, and 18000 V5 series storage products, check the SVP's SMBv1 status and whether the Windows Remote Desktop Protocol (RDP) service with port 3389 is enabled to determine whether the storage products are involved in this risk. For details, see the Identification Method/Workaround in the table under Preventive Measures.
Check the operating systems installed on the BC&DR Solution and OceanStor Backup Solution to determine whether this risk is involved. For details, see Identification Method/Workaround in the table under Preventive measures.
Root cause
1. Attackers take advantage of the Windows SMBv1 remote code execution vulnerabilities MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148). As a result, the management system of a storage device is under unauthorized control.
2. On March 10th, 2019, the latest version of the GlobeImposter family - GlobeImposter 3.0 - was discovered. It probably perpetrates attacks by violently cracking the password of the Windows RDP service (port 3389) and implanting the ransomware virus.
Impact and risk
1. The management system of a storage device is under unauthorized control and there is a risk of data loss.
2. After being attacked, the storage devices are infected with malicious ransomware. The files on infectious Windows hosts are encrypted and can be decrypted only when a large amount of ransom is paid.
Measures and solutions
Workarounds
For the OceanStor 18000 V1, 18000 V3 and 18000 V5 series storage devices, disable SMBv1 on SVP and close port 3389.
