Feeds

Ransomware attack hits Synology's NAS boxen

This is as bad as you think, says Reg sysadmin Trevor

Website security in corporate America

Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them.

The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended configurations that involve exposing the administration page to the internet.

If you have exposed either or both of your Synology NAS' ports 5000 or 5001 to the internet then stop reading this article right now and go close those ports. These are the default HTTP and HTTPS web server ports for Synology and allow access to the administration page

In addition to allowing access to the administration page, these ports – and thus the same web server instance – are being used to serve up several components of the Synology offering. Services offered on these ports include DS Audio, DS Cam, DS file, DS finder, DS video, DS Download, Video Station, File station and Audiostation.

If you have opened ports for any of these services to the internet then you have also opened the Synology administration page. Be aware that if you use the Synology "EZ-Internet" router configuration utility it will open these vulnerable ports to the internet, so under no circumstances use this tool until the storm has passed, and Synology has worked out some better defaults.

If you need remote access to your Synology, it is highly recommended that you use a VPN to do so. If you are using the VPN provided by Synology, make sure it is up to date, as a known vulnerability exists in older versions.

If you don't have a VPN server, you can use FTP, or even WebDAV, though I strongly recommend using them on non-default ports. The WebDAV server in the Synology units appears to be a different server from the one serving up the administration pages.

There's probably more that will come out over time, and the Synology dev team is still busy trying to figure out exactly which versions of the Synology operating system (called DSM) are vulnerable. Considering the kind of delays that Synology has been experiencing in getting fixes out, it may be a while before a fix arrives.

Once Synology has fixes out we should bear in mind that this is only a band-aid covering a specific vulnerability. The issues that led to first Dogecoin miner malware and now the cryptolocker ransomware indicates that Synology's internal security processes require review.

This means that we, as systems administrators, should be taking extra care with our Synology boxes and making sure we understand the full threat profile they represent before we open any ports on them to the internet. If you have any questions about the risks associated with a particular service being opened to the internet, contact Synology directly and ask.

Synology's Response

Synology is still formulating an official response to the Synolocker outbreak. Its unofficial response is as follows:

To prevent your NAS from becoming infected:

  1. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
  2. Update DSM to the latest version
  3. Backup your data as soon as possible
  4. Synology will provide further information as soon as it is available.

If your NAS has been infected:

  • Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
  • Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
  • Contact Synology Support as soon as possible, here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.