Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1101825 4-Aug-2014 16:02
Send private message

amanzi:
michaelmurfy: One of our sites got pwned - really not good:


I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.


I'm wanting to get access to the NAS and check out the scripts myself, if I do I will gzip them and post them online (for potential reverse-engineering).






198 posts

Master Geek
+1 received by user: 9


  Reply # 1101843 4-Aug-2014 16:20
Send private message

michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1101874 4-Aug-2014 16:51
Send private message

fastmikey:
michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?


I'll investigate this later fully but 5000 was exposed to the internet w/ very secure usernames and passwords, this is an exploit and not user error as we call it. The bonus is it looks like crypto takes a while due to its slow CPU so you'll minimize damage by catching it quickly.

Is pretty scary but anyone using the remote access features of these NAS devices will be exposed to the exploit.




gjm

744 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1102204 4-Aug-2014 22:28
Send private message

afe66:
gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that


Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.




I just use it to connect to my NAS from the internet at the moment. Will even be getting rid of that soon and terminate on something else as I just dont trust this NAS on the internet. Cant help with your setup though sorry.




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



198 posts

Master Geek
+1 received by user: 9


  Reply # 1102325 5-Aug-2014 08:44
Send private message

Acknowledged by Synology now:  http://t.co/kqfpmF7SbA 

Basically kill all remote access, back everything you can up and update if you're not affected.

If you are, hard shut down and wait...

BDFL - Memuneh
60048 posts

Uber Geek
+1 received by user: 11134

Administrator
Trusted
Geekzone
Lifetime subscriber

1639 posts

Uber Geek
+1 received by user: 587

Lifetime subscriber

  Reply # 1102419 5-Aug-2014 10:37
Send private message

When they say update... Is the latest version 4.3 Ok or do they mean latest version of 5.

Shocked to find I was still using 2013 version yesterday.

Now latest version 4.3 which seems list the script attack fixes.

A.





BDFL - Memuneh
60048 posts

Uber Geek
+1 received by user: 11134

Administrator
Trusted
Geekzone
Lifetime subscriber

1493 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 1102930 5-Aug-2014 21:38
Send private message

Really THE worst article I've seen Freitasm on this topic.




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

Want to be with an awesome ISP? Want $20 credit too? Use this link to sign up to BigPipe.


Meow
7280 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1102982 5-Aug-2014 23:25
2 people support this post
Send private message

freitasm: Michael, any update on your research?


Nothing just yet - I am yet to get the NAS in my hands, shut it off before I could fully check it out.

I will put some blank drives in mine and boot it up - SSH in and see what the fuss is about.

In the meantime - if you've got infected do the following:
1) Shut it down.
2) Stop all port forwards to it.
3) Take the drives out - mount it on a computer running Ubuntu Linux or something and recover it that way.
4) Restore the NAS to stock firmware using the firmware recovery tool on Synology's website (with blank drives in it).

Once the data is recovered, wipe the drives and insert them back in the factory defaulted NAS, you should be good now.

Due to its slow CPU it does take quite some time for the encryption to go through all the files, assuming you caught it early damage should be minimal however if you were a little too late it could be pretty bad. Don't pay the ransom at all, instead put that money towards an online solution like http://www.code42.com/crashplan/ or Dropbox and say goodbye to any files that got encrypted.




1431 posts

Uber Geek
+1 received by user: 726


  Reply # 1103041 6-Aug-2014 08:38
Send private message

Just a quick note of thanks to the OP for raising this.  My Synology is quite new and updated so safe, but I have now removed all external access including the port forwarding on my router.  I thought it was "kind of neat" to be able to access music etc from anywhere, but not worth this risk.

16510 posts

Uber Geek
+1 received by user: 4610

Trusted
Lifetime subscriber

  Reply # 1103042 6-Aug-2014 08:39
Send private message

Synology's response via our local distributor: 


I have spoken to Synology about this matter and they are working on it at the moment.

Theres not too much information I have at the moment, they have advice to update the DSM to version later than 4.3-3827 to prevent NAS being hacked.

If unfortunate and the unit is hacked please shutdown immediately and contact us for further support.


2090 posts

Uber Geek
+1 received by user: 848


  Reply # 1103050 6-Aug-2014 08:57
Send private message

If it is CryptoLocker doing the encryption then nope you are screwed re: file recovery.

Options are
1. send money to shady people using Tor/Bitcoin and hope - more than likely your money is gone and no recovery
2. restore from backup (you've got those right?)

DropBox etc files can be restored using Previous Versions - not an option for your NAS.

Why expose them to the internet in the first place?





16510 posts

Uber Geek
+1 received by user: 4610

Trusted
Lifetime subscriber

  Reply # 1103059 6-Aug-2014 09:10
One person supports this post
Send private message

Latest Update: 


We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.


For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

· When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

· A process called “synosync” is running in Resource Monitor.

· DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

· For DSM 4.3, please install DSM 4.3-3827 or later

· For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

· For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.


We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.





854 posts

Ultimate Geek
+1 received by user: 125


  Reply # 1103228 6-Aug-2014 12:40
Send private message

Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

 


6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.


So:  People upgrade your NAS!

1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Opera launches new mobile browser: Opera Touch
Posted 25-Apr-2018 20:45


TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.