Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSynolocker - Cryptolocker for NASes
fastmikey

275 posts

Ultimate Geek

ID Verified

#150814 4-Aug-2014 12:10
Send private message

A heads up for anyone using a Synology NAS:

https://twitter.com/MikeEvangelist/status/495970097497128960

Looks like there's now a version of Cryptolocker specifically targetting Synology NASes - and you just have to have the web features enabled on your NAS to get potentially hit...

 

 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
amanzi
Amanzi
1149 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1101667 4-Aug-2014 12:43
Send private message

Scary stuff. From what I gather, if you get infected with Cryptolocker you only have two options: 1. pay the ransom and hope it works; or 2. restore your files from backup. Hard to tell from that Twitter thread how the NAS got infected?

 
 
 
 

Learn cloud, mobile, security, data and web technologies with Pluralsight (affiliate link).
freitasm
BDFL - Memuneh
76398 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1101668 4-Aug-2014 12:43
Send private message

I just got a Synology here to try... So let's see if I can get it infected.




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 

khull
1245 posts

Uber Geek


  #1101674 4-Aug-2014 12:48
Send private message

I own a couple of Synology NAS boxes ( back in the DSM 1.x and 2.x days) and found the software and documentation to be shoddy. Doesn't surprise me if these things are happening. I'm still using the NAS boxes as they are feature packed



fastmikey

275 posts

Ultimate Geek

ID Verified

  #1101676 4-Aug-2014 12:59
Send private message

https://news.ycombinator.com/item?id=8128521 suggests there's some possible holes in the LAMP stack implementation... in https://twitter.com/MikeEvangelist/status/496025753721790464 he's said that he has AFP and SMB exposed to the net too.

freitasm
BDFL - Memuneh
76398 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1101678 4-Aug-2014 13:01
Send private message

Well, there you go. SMB and AFP exposed. *sigh*




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 

fastmikey

275 posts

Ultimate Geek

ID Verified

  #1101679 4-Aug-2014 13:01
Send private message

http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/ has a bit more too.

fastmikey

275 posts

Ultimate Geek

ID Verified

  #1101681 4-Aug-2014 13:02
Send private message

freitasm: Well, there you go. SMB and AFP exposed. *sigh*




Not exactly the brightest of moves, that...



amanzi
Amanzi
1149 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1101685 4-Aug-2014 13:06
Send private message

fastmikey:
freitasm: Well, there you go. SMB and AFP exposed. *sigh*




Not exactly the brightest of moves, that...


I don't understand how someone could have accidentally done this? And surely he wouldn't have configured his router/firewall/modem to explicitly allow connections from the internet to get to his NAS on those ports? Doesn't make sense to me.

fastmikey

275 posts

Ultimate Geek

ID Verified

  #1101699 4-Aug-2014 13:35
Send private message

amanzi:
fastmikey:
freitasm: Well, there you go. SMB and AFP exposed. *sigh*




Not exactly the brightest of moves, that...


I don't understand how someone could have accidentally done this? And surely he wouldn't have configured his router/firewall/modem to explicitly allow connections from the internet to get to his NAS on those ports? Doesn't make sense to me.


Why you would configure like that I can't explain, short of sheer laziness. However, looking at some of the commentary, it looks more likely that the vulnerability is in the web interface - and apparently it's not uncommon to have that forwarded (port 5000/5001).

 

DSM 4.3-3827 Update 4

 

(2014/6/25)

 

Change Log

 

     

  1. Updated OpenSSL to version 1.0.1h to address several severe security issues. (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470)
  2. Fixed a security issue that allows attackers to avoid checking mechanism and execute unintended commands via Web script.

 


may well point to what's being exploited on unpatched systems.

As I don't have any affected systems (yet, God willing!) however I can't speak with any certainty...

gjm

gjm
787 posts

Ultimate Geek


  #1101703 4-Aug-2014 13:51
Send private message

Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

russelo
319 posts

Ultimate Geek


  #1101710 4-Aug-2014 14:02
Send private message

SMB is almost useless over the internet anyway as it would be very slow (I've tried it - SMB tends to be very chatty).

The only way to get to my NAS's web is by going through my router's SSH server first.

afe66
3128 posts

Uber Geek

Lifetime subscriber

  #1101745 4-Aug-2014 15:01
Send private message

gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that


Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.

Sideface
8457 posts

Uber Geek

Trusted
DR
Lifetime subscriber

  #1101814 4-Aug-2014 15:52
Send private message

Having read this thread I have updated the DSM (operating system) firmware on my Synology DS1813+.
At the end of the install I was offered "QuickConnect" software which I declined, as well as all the other optional extras.
"QuickConnect lets you access your Synology DS1813+ anywhere"
I presume it is the "QuickConnect" software that is vulnerable to Synolocker.




Sideface

michaelmurfy
cat
12248 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1101816 4-Aug-2014 15:52
Send private message

I have a few of these scattered around to backup my mine and my flatmates servers,

One of our sites got pwned - really not good:




Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

amanzi
Amanzi
1149 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1101820 4-Aug-2014 15:56
Send private message

michaelmurfy: One of our sites got pwned - really not good:


I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.

 1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Lenovo






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.