Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsIT Pro and developersSynolocker - Cryptolocker for NASes
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
Meow
7900 posts

Uber Geek
+1 received by user: 3926

Moderator
Trusted
Lifetime subscriber

  Reply # 1101825 4-Aug-2014 16:02
Send private message

amanzi:
michaelmurfy: One of our sites got pwned - really not good:


I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.


I'm wanting to get access to the NAS and check out the scripts myself, if I do I will gzip them and post them online (for potential reverse-engineering).




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial



226 posts

Master Geek
+1 received by user: 10


  Reply # 1101843 4-Aug-2014 16:20
Send private message

michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

Meow
7900 posts

Uber Geek
+1 received by user: 3926

Moderator
Trusted
Lifetime subscriber

  Reply # 1101874 4-Aug-2014 16:51
Send private message

fastmikey:
michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?


I'll investigate this later fully but 5000 was exposed to the internet w/ very secure usernames and passwords, this is an exploit and not user error as we call it. The bonus is it looks like crypto takes a while due to its slow CPU so you'll minimize damage by catching it quickly.

Is pretty scary but anyone using the remote access features of these NAS devices will be exposed to the exploit.




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

gjm

747 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1102204 4-Aug-2014 22:28
Send private message

afe66:
gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that


Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.




I just use it to connect to my NAS from the internet at the moment. Will even be getting rid of that soon and terminate on something else as I just dont trust this NAS on the internet. Cant help with your setup though sorry.




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



226 posts

Master Geek
+1 received by user: 10


  Reply # 1102325 5-Aug-2014 08:44
Send private message

Acknowledged by Synology now:  http://t.co/kqfpmF7SbA 

Basically kill all remote access, back everything you can up and update if you're not affected.

If you are, hard shut down and wait...

BDFL - Memuneh
61320 posts

Uber Geek
+1 received by user: 12063

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1102413 5-Aug-2014 10:30
Send private message

Michael, any update on your research?




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

1846 posts

Uber Geek
+1 received by user: 675

Lifetime subscriber

  Reply # 1102419 5-Aug-2014 10:37
Send private message

When they say update... Is the latest version 4.3 Ok or do they mean latest version of 5.

Shocked to find I was still using 2013 version yesterday.

Now latest version 4.3 which seems list the script attack fixes.

A.

BDFL - Memuneh
61320 posts

Uber Geek
+1 received by user: 12063

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1102916 5-Aug-2014 21:24
Send private message

And on Slashdot too.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

1579 posts

Uber Geek
+1 received by user: 154

Trusted

  Reply # 1102930 5-Aug-2014 21:38
Send private message

Really THE worst article I've seen Freitasm on this topic.




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 

Meow
7900 posts

Uber Geek
+1 received by user: 3926

Moderator
Trusted
Lifetime subscriber

  Reply # 1102982 5-Aug-2014 23:25
2 people support this post
Send private message

freitasm: Michael, any update on your research?


Nothing just yet - I am yet to get the NAS in my hands, shut it off before I could fully check it out.

I will put some blank drives in mine and boot it up - SSH in and see what the fuss is about.

In the meantime - if you've got infected do the following:
1) Shut it down.
2) Stop all port forwards to it.
3) Take the drives out - mount it on a computer running Ubuntu Linux or something and recover it that way.
4) Restore the NAS to stock firmware using the firmware recovery tool on Synology's website (with blank drives in it).

Once the data is recovered, wipe the drives and insert them back in the factory defaulted NAS, you should be good now.

Due to its slow CPU it does take quite some time for the encryption to go through all the files, assuming you caught it early damage should be minimal however if you were a little too late it could be pretty bad. Don't pay the ransom at all, instead put that money towards an online solution like http://www.code42.com/crashplan/ or Dropbox and say goodbye to any files that got encrypted.




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

1507 posts

Uber Geek
+1 received by user: 782


  Reply # 1103041 6-Aug-2014 08:38
Send private message

Just a quick note of thanks to the OP for raising this.  My Synology is quite new and updated so safe, but I have now removed all external access including the port forwarding on my router.  I thought it was "kind of neat" to be able to access music etc from anywhere, but not worth this risk.

18315 posts

Uber Geek
+1 received by user: 5246

Trusted
Lifetime subscriber

  Reply # 1103042 6-Aug-2014 08:39
Send private message

Synology's response via our local distributor: 


I have spoken to Synology about this matter and they are working on it at the moment.

Theres not too much information I have at the moment, they have advice to update the DSM to version later than 4.3-3827 to prevent NAS being hacked.

If unfortunate and the unit is hacked please shutdown immediately and contact us for further support.

2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1103050 6-Aug-2014 08:57
Send private message

If it is CryptoLocker doing the encryption then nope you are screwed re: file recovery.

Options are
1. send money to shady people using Tor/Bitcoin and hope - more than likely your money is gone and no recovery
2. restore from backup (you've got those right?)

DropBox etc files can be restored using Previous Versions - not an option for your NAS.

Why expose them to the internet in the first place?

18315 posts

Uber Geek
+1 received by user: 5246

Trusted
Lifetime subscriber

  Reply # 1103059 6-Aug-2014 09:10
One person supports this post
Send private message

Latest Update: 


We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.


For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

· When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

· A process called “synosync” is running in Resource Monitor.

· DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

· For DSM 4.3, please install DSM 4.3-3827 or later

· For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

· For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.


We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

854 posts

Ultimate Geek
+1 received by user: 125


  Reply # 1103228 6-Aug-2014 12:40
Send private message

Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

 


6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.


So:  People upgrade your NAS!

1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.