Synolocker - Cryptolocker for NASes

Forums › IT Pro and developers › Synolocker - Cryptolocker for NASes

1 | 2 | 3 | 4

Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator

Trusted

Lifetime subscriber

Reply # 1101825 4-Aug-2014 16:02

amanzi:
michaelmurfy: One of our sites got pwned - really not good:

I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.

I'm wanting to get access to the NAS and check out the scripts myself, if I do I will gzip them and post them online (for potential reverse-engineering).

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

fastmikey

198 posts

Master Geek
+1 received by user: 9

Reply # 1101843 4-Aug-2014 16:20

michaelmurfy: One of our sites got pwned - really not good:

Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

Try Wrike: fast, easy, and efficient project collaboration software

michaelmurfy

Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator

Trusted

Lifetime subscriber

Reply # 1101874 4-Aug-2014 16:51

fastmikey:
michaelmurfy: One of our sites got pwned - really not good:

Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

I'll investigate this later fully but 5000 was exposed to the internet w/ very secure usernames and passwords, this is an exploit and not user error as we call it. The bonus is it looks like crypto takes a while due to its slow CPU so you'll minimize damage by catching it quickly.

Is pretty scary but anyone using the remote access features of these NAS devices will be exposed to the exploit.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

gjm

744 posts

Ultimate Geek
+1 received by user: 91

Reply # 1102204 4-Aug-2014 22:28

afe66:
gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that

Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.

I just use it to connect to my NAS from the internet at the moment. Will even be getting rid of that soon and terminate on something else as I just dont trust this NAS on the internet. Cant help with your setup though sorry.

[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

fastmikey

198 posts

Master Geek
+1 received by user: 9

Reply # 1102325 5-Aug-2014 08:44

Acknowledged by Synology now: http://t.co/kqfpmF7SbA

Basically kill all remote access, back everything you can up and update if you're not affected.

If you are, hard shut down and wait...

freitasm

BDFL - Memuneh
60048 posts

Uber Geek
+1 received by user: 11134

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1102413 5-Aug-2014 10:30

Michael, any update on your research?

Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business) | My technology disclosure

You can support content creators (and Geekzone) by using the Brave browser.

afe66

1639 posts

Uber Geek
+1 received by user: 587

Lifetime subscriber

Reply # 1102419 5-Aug-2014 10:37

When they say update... Is the latest version 4.3 Ok or do they mean latest version of 5.

Shocked to find I was still using 2013 version yesterday.

Now latest version 4.3 which seems list the script attack fixes.

A.

freitasm

BDFL - Memuneh
60048 posts

Uber Geek
+1 received by user: 11134

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1102916 5-Aug-2014 21:24

And on Slashdot too.

Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business) | My technology disclosure

You can support content creators (and Geekzone) by using the Brave browser.

mentalinc

1493 posts

Uber Geek
+1 received by user: 131

Trusted

Reply # 1102930 5-Aug-2014 21:38

Really THE worst article I've seen Freitasm on this topic.

CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB: Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

Want to be with an awesome ISP? Want $20 credit too? Use this link to sign up to BigPipe.

michaelmurfy

Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator

Trusted

Lifetime subscriber

Reply # 1102982 5-Aug-2014 23:25

2 people support this post

freitasm: Michael, any update on your research?

Nothing just yet - I am yet to get the NAS in my hands, shut it off before I could fully check it out.

I will put some blank drives in mine and boot it up - SSH in and see what the fuss is about.

In the meantime - if you've got infected do the following:
1) Shut it down.
2) Stop all port forwards to it.
3) Take the drives out - mount it on a computer running Ubuntu Linux or something and recover it that way.
4) Restore the NAS to stock firmware using the firmware recovery tool on Synology's website (with blank drives in it).

Once the data is recovered, wipe the drives and insert them back in the factory defaulted NAS, you should be good now.

Due to its slow CPU it does take quite some time for the encryption to go through all the files, assuming you caught it early damage should be minimal however if you were a little too late it could be pretty bad. Don't pay the ransom at all, instead put that money towards an online solution like http://www.code42.com/crashplan/ or Dropbox and say goodbye to any files that got encrypted.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

shk292

1431 posts

Uber Geek
+1 received by user: 726

Reply # 1103041 6-Aug-2014 08:38

Just a quick note of thanks to the OP for raising this. My Synology is quite new and updated so safe, but I have now removed all external access including the port forwarding on my router. I thought it was "kind of neat" to be able to access music etc from anywhere, but not worth this risk.

networkn

16510 posts

Uber Geek
+1 received by user: 4610

Trusted

Lifetime subscriber

Reply # 1103042 6-Aug-2014 08:39

Synology's response via our local distributor:

I have spoken to Synology about this matter and they are working on it at the moment.

Theres not too much information I have at the moment, they have advice to update the DSM to version later than 4.3-3827 to prevent NAS being hacked.

If unfortunate and the unit is hacked please shutdown immediately and contact us for further support.

wasabi2k

2090 posts

Uber Geek
+1 received by user: 848

Reply # 1103050 6-Aug-2014 08:57

If it is CryptoLocker doing the encryption then nope you are screwed re: file recovery.

Options are
1. send money to shady people using Tor/Bitcoin and hope - more than likely your money is gone and no recovery
2. restore from backup (you've got those right?)

DropBox etc files can be restored using Previous Versions - not an option for your NAS.

Why expose them to the internet in the first place?

networkn

16510 posts

Uber Geek
+1 received by user: 4610

Trusted

Lifetime subscriber

Reply # 1103059 6-Aug-2014 09:10

One person supports this post

Latest Update:

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

· When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

· A process called “synosync” is running in Resource Monitor.

· DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

· For DSM 4.3, please install DSM 4.3-3827 or later

· For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

· For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

nigelj

854 posts

Ultimate Geek
+1 received by user: 125

Reply # 1103228 6-Aug-2014 12:40

Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955 (CVSS Base Score 10)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987 (CVSS Base Score 7.5)

6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

So: People upgrade your NAS!

1 | 2 | 3 | 4