Feeds

Ransomware attack hits Synology's NAS boxen

This is as bad as you think, says Reg sysadmin Trevor

Protecting users from Firesheep and other Sidejacking attacks with SSL

Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them.

The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended configurations that involve exposing the administration page to the internet.

If you have exposed either or both of your Synology NAS' ports 5000 or 5001 to the internet then stop reading this article right now and go close those ports. These are the default HTTP and HTTPS web server ports for Synology and allow access to the administration page

In addition to allowing access to the administration page, these ports – and thus the same web server instance – are being used to serve up several components of the Synology offering. Services offered on these ports include DS Audio, DS Cam, DS file, DS finder, DS video, DS Download, Video Station, File station and Audiostation.

If you have opened ports for any of these services to the internet then you have also opened the Synology administration page. Be aware that if you use the Synology "EZ-Internet" router configuration utility it will open these vulnerable ports to the internet, so under no circumstances use this tool until the storm has passed, and Synology has worked out some better defaults.

If you need remote access to your Synology, it is highly recommended that you use a VPN to do so. If you are using the VPN provided by Synology, make sure it is up to date, as a known vulnerability exists in older versions.

If you don't have a VPN server, you can use FTP, or even WebDAV, though I strongly recommend using them on non-default ports. The WebDAV server in the Synology units appears to be a different server from the one serving up the administration pages.

There's probably more that will come out over time, and the Synology dev team is still busy trying to figure out exactly which versions of the Synology operating system (called DSM) are vulnerable. Considering the kind of delays that Synology has been experiencing in getting fixes out, it may be a while before a fix arrives.

Once Synology has fixes out we should bear in mind that this is only a band-aid covering a specific vulnerability. The issues that led to first Dogecoin miner malware and now the cryptolocker ransomware indicates that Synology's internal security processes require review.

This means that we, as systems administrators, should be taking extra care with our Synology boxes and making sure we understand the full threat profile they represent before we open any ports on them to the internet. If you have any questions about the risks associated with a particular service being opened to the internet, contact Synology directly and ask.

Synology's Response

Synology is still formulating an official response to the Synolocker outbreak. Its unofficial response is as follows:

To prevent your NAS from becoming infected:

  1. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
  2. Update DSM to the latest version
  3. Backup your data as soon as possible
  4. Synology will provide further information as soon as it is available.

If your NAS has been infected:

  • Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
  • Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
  • Contact Synology Support as soon as possible, here. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.