Feeds

Ransomware attack hits Synology's NAS boxen

This is as bad as you think, says Reg sysadmin Trevor

Top 5 reasons to deploy VMware with Tegile

Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them.

The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended configurations that involve exposing the administration page to the internet.

If you have exposed either or both of your Synology NAS' ports 5000 or 5001 to the internet then stop reading this article right now and go close those ports. These are the default HTTP and HTTPS web server ports for Synology and allow access to the administration page

In addition to allowing access to the administration page, these ports – and thus the same web server instance – are being used to serve up several components of the Synology offering. Services offered on these ports include DS Audio, DS Cam, DS file, DS finder, DS video, DS Download, Video Station, File station and Audiostation.

If you have opened ports for any of these services to the internet then you have also opened the Synology administration page. Be aware that if you use the Synology "EZ-Internet" router configuration utility it will open these vulnerable ports to the internet, so under no circumstances use this tool until the storm has passed, and Synology has worked out some better defaults.

If you need remote access to your Synology, it is highly recommended that you use a VPN to do so. If you are using the VPN provided by Synology, make sure it is up to date, as a known vulnerability exists in older versions.

If you don't have a VPN server, you can use FTP, or even WebDAV, though I strongly recommend using them on non-default ports. The WebDAV server in the Synology units appears to be a different server from the one serving up the administration pages.

There's probably more that will come out over time, and the Synology dev team is still busy trying to figure out exactly which versions of the Synology operating system (called DSM) are vulnerable. Considering the kind of delays that Synology has been experiencing in getting fixes out, it may be a while before a fix arrives.

Once Synology has fixes out we should bear in mind that this is only a band-aid covering a specific vulnerability. The issues that led to first Dogecoin miner malware and now the cryptolocker ransomware indicates that Synology's internal security processes require review.

This means that we, as systems administrators, should be taking extra care with our Synology boxes and making sure we understand the full threat profile they represent before we open any ports on them to the internet. If you have any questions about the risks associated with a particular service being opened to the internet, contact Synology directly and ask.

Synology's Response

Synology is still formulating an official response to the Synolocker outbreak. Its unofficial response is as follows:

To prevent your NAS from becoming infected:

  1. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
  2. Update DSM to the latest version
  3. Backup your data as soon as possible
  4. Synology will provide further information as soon as it is available.

If your NAS has been infected:

  • Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
  • Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
  • Contact Synology Support as soon as possible, here. ®

Beginner's guide to SSL certificates

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.