Synolocker - Cryptolocker for NASes

Forums › IT Pro and developers › Synolocker - Cryptolocker for NASes

1 | 2 | 3 | 4

cat
12219 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1103239 6-Aug-2014 12:54

nigelj: Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955 (CVSS Base Score 10)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987 (CVSS Base Score 7.5)

6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

So: People upgrade your NAS!

There has been people on the latest firmware at the time this was released and got pwned too. The exploit has been around for a while however Synology have not gotten to patching it up until the day a few NAS's were cracked.

Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

TrendMicro

Best TrendMicro deals for antivirus and malware protection(affiliate link).

networkn

Networkn
30207 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1103242 6-Aug-2014 12:56

michaelmurfy:
nigelj: Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955 (CVSS Base Score 10)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987 (CVSS Base Score 7.5)

6955 looks to be the nasty one:

Overview

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

So: People upgrade your NAS!

There has been people on the latest firmware at the time this was released and got pwned too. The exploit has been around for a while however Synology have not gotten to patching it up until the day a few NAS's were cracked.

Hi.

Where did you see that ? I have not seen any reports of any infected running v5 or even later versions of v4?

michaelmurfy

cat
12219 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1103259 6-Aug-2014 13:15

networkn:

Hi.

Where did you see that ? I have not seen any reports of any infected running v5 or even later versions of v4?

I can't remember where but my NAS was running DSM 4.3-3827 Update 4 at the time it got owned, only port 5000 forwarded.

networkn

Networkn
30207 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1103441 6-Aug-2014 16:14

michaelmurfy:
networkn:

Hi.

Where did you see that ? I have not seen any reports of any infected running v5 or even later versions of v4?

I can't remember where but my NAS was running DSM 4.3-3827 Update 4 at the time it got owned, only port 5000 forwarded.

Can I recommend you contact Synology. If they are working off incorrect information I think it's important they know the issue might be more widespread.

networkn

Networkn
30207 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1103698 6-Aug-2014 22:18

I am happy to provide you with the local distributors details in a PM if you don't know them already.

CYaBro

4084 posts

Uber Geek

ID Verified

Trusted

Subscriber

#1103735 6-Aug-2014 23:50

Looks like those who did get hit by cryptolocker are in luck!
If you still have the encrypted files that is.

https://www.decryptcryptolocker.com

amanzi

Amanzi
1149 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1103738 7-Aug-2014 00:22

CYaBro: Looks like those who did get hit by cryptolocker are in luck!
If you still have the encrypted files that is.

https://www.decryptcryptolocker.com

Seems too good to be true, but excellent news if it works. More details here: http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

CYaBro

4084 posts

Uber Geek

ID Verified

Trusted

Subscriber

#1103769 7-Aug-2014 05:52

I have one client who got hit, that we sorted out with a restore from their ShadowProtect backup, that I still have the encrypted files from.
Will give it go and report back.

freitasm

BDFL - Memuneh
76342 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1103792 7-Aug-2014 08:18

That's why NAS who led have backups too...

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

1101

3086 posts

Uber Geek

#1103830 7-Aug-2014 10:12

CYaBro: Looks like those who did get hit by cryptolocker are in luck!
If you still have the encrypted files that is.

https://www.decryptcryptolocker.com

Not so lucky.
I read that site/fix doesnt work for synolocker .

CYaBro

4084 posts

Uber Geek

ID Verified

Trusted

Subscriber

#1103851 7-Aug-2014 10:52

Can confirm it works for the original cryptolocker.

freitasm

BDFL - Memuneh
76342 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1105275 9-Aug-2014 09:58

Received today (well, last night):

We have discovered security vulnerabilities on the software currently installed on your Synology product. These vulnerabilities might result in unauthorized parties compromising your Synology product.

We strongly suggest you install the newest version of DSM as soon as possible. To do so, please visit our Download Center and download DSM 5.0-4493, DSM 4.3-3827, DSM 4.2-3250, or DSM 4.0-2263 according to your current version. Then, log in to DSM and go to Control Panel > Update & Restore > DSM Update > Manual DSM Update (for DSM 4.3 and earlier, please go to Control Panel > DSM Update > Manual DSM Update) and manually install the patch file.

For more information about security issues related to Synology products, please check our Synology Product Security Advisory page.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

dafman

3791 posts

Uber Geek

Trusted

#1105284 9-Aug-2014 10:21

I've shut down port forwarding on my router. Not too techy, is this all I need to do?

freitasm

BDFL - Memuneh
76342 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1105285 9-Aug-2014 10:21

Update the firmware as instructed.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

dafman

3791 posts

Uber Geek

Trusted

#1105295 9-Aug-2014 10:48

Thanks. Fascinating, how do they find the diskstations in the first place ? Do they randomly target ip addresses and try port 5000? And once they find a diskstation, how do they get past strong admin passwords?

1 | 2 | 3 | 4