Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
/dev/null
9339 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1101825 4-Aug-2014 16:02
Send private message

amanzi:
michaelmurfy: One of our sites got pwned - really not good:


I'm curious to know what your plan is to fix it? I'm interested to see if there's an alternative to paying the ransom or relying on backups.


I'm wanting to get access to the NAS and check out the scripts myself, if I do I will gzip them and post them online (for potential reverse-engineering).






242 posts

Master Geek


  #1101843 4-Aug-2014 16:20
Send private message

michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?

 
 
 
 


/dev/null
9339 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1101874 4-Aug-2014 16:51
Send private message

fastmikey:
michaelmurfy: One of our sites got pwned - really not good:



Crap! That really sucks.

For the hive mind though, do you know:
a) what ports it has exposed
b) what version of DSM it's running?


I'll investigate this later fully but 5000 was exposed to the internet w/ very secure usernames and passwords, this is an exploit and not user error as we call it. The bonus is it looks like crypto takes a while due to its slow CPU so you'll minimize damage by catching it quickly.

Is pretty scary but anyone using the remote access features of these NAS devices will be exposed to the exploit.




gjm

757 posts

Ultimate Geek


  #1102204 4-Aug-2014 22:28
Send private message

afe66:
gjm: Only synology service I expose to the internet is VPN. I just dont know why you would open everything else up like that


Out of curiosity what are you using the VPN connection for?

To connect to your NAS from the web or to connect your NAS to an external VPN?

I was curious as to whether I could use my 412+ VPN to connect to Netflix and then connect a Roku to NAS client and get Netflix..

? A.




I just use it to connect to my NAS from the internet at the moment. Will even be getting rid of that soon and terminate on something else as I just dont trust this NAS on the internet. Cant help with your setup though sorry.




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



242 posts

Master Geek


  #1102325 5-Aug-2014 08:44
Send private message

Acknowledged by Synology now:  http://t.co/kqfpmF7SbA 

Basically kill all remote access, back everything you can up and update if you're not affected.

If you are, hard shut down and wait...

BDFL - Memuneh
67149 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

2363 posts

Uber Geek

Lifetime subscriber

  #1102419 5-Aug-2014 10:37
Send private message

When they say update... Is the latest version 4.3 Ok or do they mean latest version of 5.

Shocked to find I was still using 2013 version yesterday.

Now latest version 4.3 which seems list the script attack fixes.

A.





 
 
 
 


1942 posts

Uber Geek

Trusted

  #1102930 5-Aug-2014 21:38
Send private message

Really THE worst article I've seen Freitasm on this topic.




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


/dev/null
9339 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1102982 5-Aug-2014 23:25
Send private message

freitasm: Michael, any update on your research?


Nothing just yet - I am yet to get the NAS in my hands, shut it off before I could fully check it out.

I will put some blank drives in mine and boot it up - SSH in and see what the fuss is about.

In the meantime - if you've got infected do the following:
1) Shut it down.
2) Stop all port forwards to it.
3) Take the drives out - mount it on a computer running Ubuntu Linux or something and recover it that way.
4) Restore the NAS to stock firmware using the firmware recovery tool on Synology's website (with blank drives in it).

Once the data is recovered, wipe the drives and insert them back in the factory defaulted NAS, you should be good now.

Due to its slow CPU it does take quite some time for the encryption to go through all the files, assuming you caught it early damage should be minimal however if you were a little too late it could be pretty bad. Don't pay the ransom at all, instead put that money towards an online solution like http://www.code42.com/crashplan/ or Dropbox and say goodbye to any files that got encrypted.




1873 posts

Uber Geek

Lifetime subscriber

  #1103041 6-Aug-2014 08:38
Send private message

Just a quick note of thanks to the OP for raising this.  My Synology is quite new and updated so safe, but I have now removed all external access including the port forwarding on my router.  I thought it was "kind of neat" to be able to access music etc from anywhere, but not worth this risk.

22570 posts

Uber Geek

Trusted
Lifetime subscriber

  #1103042 6-Aug-2014 08:39
Send private message

Synology's response via our local distributor: 


I have spoken to Synology about this matter and they are working on it at the moment.

Theres not too much information I have at the moment, they have advice to update the DSM to version later than 4.3-3827 to prevent NAS being hacked.

If unfortunate and the unit is hacked please shutdown immediately and contact us for further support.


2092 posts

Uber Geek


  #1103050 6-Aug-2014 08:57
Send private message

If it is CryptoLocker doing the encryption then nope you are screwed re: file recovery.

Options are
1. send money to shady people using Tor/Bitcoin and hope - more than likely your money is gone and no recovery
2. restore from backup (you've got those right?)

DropBox etc files can be restored using Previous Versions - not an option for your NAS.

Why expose them to the internet in the first place?





22570 posts

Uber Geek

Trusted
Lifetime subscriber

  #1103059 6-Aug-2014 09:10
Send private message

Latest Update: 


We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.


For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

· When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

· A process called “synosync” is running in Resource Monitor.

· DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

· For DSM 4.3, please install DSM 4.3-3827 or later

· For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later

· For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.


We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.





856 posts

Ultimate Geek


  #1103228 6-Aug-2014 12:40
Send private message

Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

 


6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.


So:  People upgrade your NAS!

1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.