Synolocker - Cryptolocker for NASes

Forums › IT Pro and developers › Synolocker - Cryptolocker for NASes

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

#150814 4-Aug-2014 12:10

A heads up for anyone using a Synology NAS:

https://twitter.com/MikeEvangelist/status/495970097497128960

Looks like there's now a version of Cryptolocker specifically targetting Synology NASes - and you just have to have the web features enabled on your NAS to get potentially hit...

Lovely. My @Synology NAS has been hacked by ransomware calling itself Synolocker. Not what I wanted to do today. pic.twitter.com/YJ1VLeKqfY

— Mike Evangelist (@MikeEvangelist) August 3, 2014

1 | 2 | 3 | 4

Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified

Trusted

Lifetime subscriber

#1101667 4-Aug-2014 12:43

Scary stuff. From what I gather, if you get infected with Cryptolocker you only have two options: 1. pay the ransom and hope it works; or 2. restore your files from backup. Hard to tell from that Twitter thread how the NAS got infected?

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1101668 4-Aug-2014 12:43

I just got a Synology here to try... So let's see if I can get it infected.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

khull

1245 posts

Uber Geek
+1 received by user: 133

#1101674 4-Aug-2014 12:48

I own a couple of Synology NAS boxes ( back in the DSM 1.x and 2.x days) and found the software and documentation to be shoddy. Doesn't surprise me if these things are happening. I'm still using the NAS boxes as they are feature packed

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

#1101676 4-Aug-2014 12:59

https://news.ycombinator.com/item?id=8128521 suggests there's some possible holes in the LAMP stack implementation... in https://twitter.com/MikeEvangelist/status/496025753721790464 he's said that he has AFP and SMB exposed to the net too.

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1101678 4-Aug-2014 13:01

Well, there you go. SMB and AFP exposed. *sigh*

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

#1101679 4-Aug-2014 13:01

http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/ has a bit more too.

Lego

Shop now for Lego sets and other gifts (affiliate link).

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

#1101681 4-Aug-2014 13:02

freitasm: Well, there you go. SMB and AFP exposed. *sigh*

Not exactly the brightest of moves, that...

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified

Trusted

Lifetime subscriber

#1101685 4-Aug-2014 13:06

fastmikey:
freitasm: Well, there you go. SMB and AFP exposed. *sigh*

Not exactly the brightest of moves, that...

I don't understand how someone could have accidentally done this? And surely he wouldn't have configured his router/firewall/modem to explicitly allow connections from the internet to get to his NAS on those ports? Doesn't make sense to me.

fastmikey

296 posts

Ultimate Geek
+1 received by user: 12

ID Verified

#1101699 4-Aug-2014 13:35

amanzi:
fastmikey:
freitasm: Well, there you go. SMB and AFP exposed. *sigh*

Not exactly the brightest of moves, that...

I don't understand how someone could have accidentally done this? And surely he wouldn't have configured his router/firewall/modem to explicitly allow connections from the internet to get to his NAS on those ports? Doesn't make sense to me.

Why you would configure like that I can't explain, short of sheer laziness. However, looking at some of the commentary, it looks more likely that the vulnerability is in the web interface - and apparently it's not uncommon to have that forwarded (port 5000/5001).

DSM 4.3-3827 Update 4

(2014/6/25)

Change Log

Updated OpenSSL to version 1.0.1h to address several severe security issues. (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470)
Fixed a security issue that allows attackers to avoid checking mechanism and execute unintended commands via Web script.

may well point to what's being exploited on unpatched systems.

As I don't have any affected systems (yet, God willing!) however I can't speak with any certainty...

gjm

810 posts

Ultimate Geek
+1 received by user: 122

#1101703 4-Aug-2014 13:51

Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

russelo

332 posts

Ultimate Geek
+1 received by user: 43

#1101710 4-Aug-2014 14:02

SMB is almost useless over the internet anyway as it would be very slow (I've tried it - SMB tends to be very chatty).

The only way to get to my NAS's web is by going through my router's SSH server first.

HP

Shop now for HP laptops and other devices (affiliate link).

afe66

3181 posts

Uber Geek
+1 received by user: 1678

Lifetime subscriber

#1101745 4-Aug-2014 15:01

gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that

Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.

Sideface

9650 posts

Uber Geek
+1 received by user: 15600

Trusted

Lifetime subscriber

#1101814 4-Aug-2014 15:52

Having read this thread I have updated the DSM (operating system) firmware on my Synology DS1813+.
At the end of the install I was offered "QuickConnect" software which I declined, as well as all the other optional extras.
"QuickConnect lets you access your Synology DS1813+ anywhere"
I presume it is the "QuickConnect" software that is vulnerable to Synolocker.

Sideface

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#1101816 4-Aug-2014 15:52

I have a few of these scattered around to backup my mine and my flatmates servers,

One of our sites got pwned - really not good:

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified

Trusted

Lifetime subscriber

#1101820 4-Aug-2014 15:56

michaelmurfy: One of our sites got pwned - really not good:

I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.

1 | 2 | 3 | 4