…and it is looking like maybe Plex Media Server is a common denominator among the people there reporting Kupidon ransomware-encrypted files.
My experience is that I found Kupidon-encrypted files on the \Users\Public folder on my Plex Media Server computer. That’s where Plex/the HDHomeRun networked tuner was saving DVR’ed TV. I haven’t found them on any other computers or servers on my home network, and I have another computer that similarly has the \Users\Public folder shared out.
My ISP is CGNAT’ted, but I had Plex remote access working by connecting the Plex server computer through my VPN (PureVPN) and port-forwarding port 32400 through both the VPN and my router – although I had only set it up for testing. I have no other users besides myself.
I guess what I am wondering is if it is somehow possible for an external Kupidon-infected computer to encrypt files on a public-write-access share on a remote Plex Media Server through the port 32400 remote access port? Because that is what it looks like happened.
And if that is possible, is it because of a networking misconfiguration on my part, or is a Plex Media Server vulnerability being exploited?
Here’s another person describing what sounds like the same thing – port 32400 open for Plex Media Server, all the files in the Public folder encrypted with Kupidon:
I don’t think there’s enough information to determine the malware/infection vector. The malware notices and (claimed) malware operator also targeted companies. People not running Plex were affected too. I agree it’s worth investigating. It appears that no samples of the malware have been captured?
It’s definitely interesting that there’s a lot of “I use a NAS” and “I use a media server” and “I download media”. I wonder if those users are also exposed to more risks, or if they’re the most likely to have vulnerable “Public” shares enabled. Or if they’re more likely to post in malware forums.
The baseline assumption should be that malware was executed SOMEWHERE within your network, and that files on “Public” shares were targeted because they were unprotected and made the easiest targets.
Yeah, I’d assume that too – but I haven’t found any evidence of that, at least on my home network. And the other open shares on my home network were not affected, only the open share on the computer running Plex Media Server, with port 32400 open for Plex remote access.
I’m sure there are other vectors for the Kupidon ransomware, but what I took away from that thread (right or wrong) is that there seemed to be another 4-5 people that appeared to have the commonalities of…
no apparent source of the Kupidon malware on the computer or network
only open shares on the Plex Media Server computer/NAS were affected
the PMS computer/NAS had port 32400 Plex remote access open
I’m not trying to prove it wasn’t Plex. Can’t prove a negative in the first place. And I’d like to know if it was!
If I’m reading correctly, people who weren’t using Plex were also affected. I hope that’s true, and I’m weighing it heavily.
Changing files in “Public” shares is standard crypto malware behavior, and every report appears to match this. That contributes to the idea that it wasn’t Plex-specific.
On some NAS deployments, Plex runs as a privileged user, and malware could have modified other, more valuable files. On Windows, Plex runs as a normal user, and malware could have modified other files. On many Windows systems it runs as the normal user account. Nobody is reporting that any files only accessible to Plex were modified.
On the other hand, some Plex deployments are only able to access specific directories with media files. Nobody is reporting that the only files modified were ones Plex could access.
Those are all soft indicators - perhaps it’s just what the malware was designed to do. It would be a good way to stay stealthy.
I would also prefer to believe that it isn’t Plex related. If it turns out that every affected user was also using Plex, that would be significant indeed.
I also believe that if there was a remote-access Plex vulnerability of this size, it would be more valuable than this.
AgeLocker is very interesting. It’s been around for a little while as crypto malware; now it’s been combined with a QNAP vulnerability and custom messaging. Says something about the industriousness of crooks.
I wonder if it’s using the previous QNAP Photo app vulnerability or something new.
