Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSynolocker - Cryptolocker for NASes
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1101825 4-Aug-2014 16:02
Send private message

amanzi:
michaelmurfy: One of our sites got pwned - really not good:


I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.


I'm wanting to get access to the NAS and check out the scripts myself, if I do I will gzip them and post them online (for potential reverse-engineering).




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

  #1101843 4-Aug-2014 16:20
Send private message

michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1101874 4-Aug-2014 16:51
Send private message

fastmikey:
michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?


I'll investigate this later fully but 5000 was exposed to the internet w/ very secure usernames and passwords, this is an exploit and not user error as we call it. The bonus is it looks like crypto takes a while due to its slow CPU so you'll minimize damage by catching it quickly.

Is pretty scary but anyone using the remote access features of these NAS devices will be exposed to the exploit.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



gjm

gjm
810 posts

Ultimate Geek
+1 received by user: 122


  #1102204 4-Aug-2014 22:28
Send private message

afe66:
gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that


Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.




I just use it to connect to my NAS from the internet at the moment. Will even be getting rid of that soon and terminate on something else as I just dont trust this NAS on the internet. Cant help with your setup though sorry.




Do surveys for Beer money (referral link) - Octopus Group 

 

Link for buying beer (not affiliated, just like beer) - Good George

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

  #1102325 5-Aug-2014 08:44
Send private message

Acknowledged by Synology now:  http://t.co/kqfpmF7SbA 

Basically kill all remote access, back everything you can up and update if you're not affected.

If you are, hard shut down and wait...

freitasm
BDFL - Memuneh
80656 posts

Uber Geek
+1 received by user: 41057

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1102413 5-Aug-2014 10:30
Send private message

Michael, any update on your research?




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
afe66
3181 posts

Uber Geek
+1 received by user: 1678

Lifetime subscriber

  #1102419 5-Aug-2014 10:37
Send private message

When they say update... Is the latest version 4.3 Ok or do they mean latest version of 5.

Shocked to find I was still using 2013 version yesterday.

Now latest version 4.3 which seems list the script attack fixes.

A.

freitasm
BDFL - Memuneh
80656 posts

Uber Geek
+1 received by user: 41057

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1102916 5-Aug-2014 21:24
Send private message

And on Slashdot too.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

mentalinc
3384 posts

Uber Geek
+1 received by user: 1023

Trusted

  #1102930 5-Aug-2014 21:38
Send private message

Really THE worst article I've seen Freitasm on this topic.




CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 

michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1102982 5-Aug-2014 23:25
Send private message

freitasm: Michael, any update on your research?


Nothing just yet - I am yet to get the NAS in my hands, shut it off before I could fully check it out.

I will put some blank drives in mine and boot it up - SSH in and see what the fuss is about.

In the meantime - if you've got infected do the following:
1) Shut it down.
2) Stop all port forwards to it.
3) Take the drives out - mount it on a computer running Ubuntu Linux or something and recover it that way.
4) Restore the NAS to stock firmware using the firmware recovery tool on Synology's website (with blank drives in it).

Once the data is recovered, wipe the drives and insert them back in the factory defaulted NAS, you should be good now.

Due to its slow CPU it does take quite some time for the encryption to go through all the files, assuming you caught it early damage should be minimal however if you were a little too late it could be pretty bad. Don't pay the ransom at all, instead put that money towards an online solution like http://www.code42.com/crashplan/ or Dropbox and say goodbye to any files that got encrypted.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

shk292
2916 posts

Uber Geek
+1 received by user: 2040

Lifetime subscriber

  #1103041 6-Aug-2014 08:38
Send private message

Just a quick note of thanks to the OP for raising this.  My Synology is quite new and updated so safe, but I have now removed all external access including the port forwarding on my router.  I thought it was "kind of neat" to be able to access music etc from anywhere, but not worth this risk.

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
networkn
Networkn
32868 posts

Uber Geek
+1 received by user: 15458

ID Verified
Trusted
Lifetime subscriber

  #1103042 6-Aug-2014 08:39
Send private message

Synology's response via our local distributor: 


I have spoken to Synology about this matter and they are working on it at the moment.

Theres not too much information I have at the moment, they have advice to update the DSM to version later than 4.3-3827 to prevent NAS being hacked.

If unfortunate and the unit is hacked please shutdown immediately and contact us for further support.

wasabi2k
2102 posts

Uber Geek
+1 received by user: 860


  #1103050 6-Aug-2014 08:57
Send private message

If it is CryptoLocker doing the encryption then nope you are screwed re: file recovery.

Options are
1. send money to shady people using Tor/Bitcoin and hope - more than likely your money is gone and no recovery
2. restore from backup (you've got those right?)

DropBox etc files can be restored using Previous Versions - not an option for your NAS.

Why expose them to the internet in the first place?

networkn
Networkn
32868 posts

Uber Geek
+1 received by user: 15458

ID Verified
Trusted
Lifetime subscriber

  #1103059 6-Aug-2014 09:10
Send private message

Latest Update: 


We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.


For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

· When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

· A process called “synosync” is running in Resource Monitor.

· DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

· For DSM 4.3, please install DSM 4.3-3827 or later

· For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

· For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.


We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

nigelj
856 posts

Ultimate Geek
+1 received by user: 125


  #1103228 6-Aug-2014 12:40
Send private message

Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

 


6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.


So:  People upgrade your NAS!

1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright