bit-tech.net

Synology DSM attacked by SynoLocker malware

Synology DSM attacked by SynoLocker malware

Synology's DiskStation Manager, the software behind its popular NAS products, is being targeted by a nasty ransomware bug called SynoLocker.

Storage specialist Synology has warned its users that its DiskStation Manager software, used across its entire network attached storage (NAS) range, is being attacked by file-encrypting malware known as SynoLocker.

Launched by attackers unknown late last week, SynoLocker appears to be a version of the CryptoLocker ransom malware modified to specifically target an as-yet unknown security vulnerability in Synology's DiskStation Manager. When a vulnerable system is found, the malware locks the user out of the control panel and proceeds to encrypt all files stored on the NAS. If the user wants to regain access to his or her files, a ransom of 0.6 Bitcoins - around £210 - is demanded, with the fee rising over time.

User reports, which began to trickle in earlier this week, indicate that all models of NAS running both DSM 4.3 and the latest DSM 5.0 are vulnerable to the malware. Although Synology has confirmed the existence of SynoLocker, it has not yet provided its users with a timescale for development of a patch that will close whatever hole is being exploited.

For now, the company's official advice is to shut down any affected system before the encryption process can complete, and to contact the company's support team. For those not yet infected, a good precaution would be to disable all external access to the NAS until a patch can be released to close the vulnerability.

UPDATE:
Synology has dismissed user reports that DiskStation Manager 5.0 systems are being affected by the flaw, stating that it is a problem only on DSM 4.3 and prior. 'We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013,' a spokesperson has told us. 'At present, we have not observed this vulnerability in DSM 5.0.'

Users whose servers are displaying the SynoLocker message, running a process called 'synosync' or have an older version of DSM installed but declare themselves to be up-to-date when the DSM Update tool is executed from the Control Panel are advised to shut their systems down and contact support. All other users are advised to update their systems though the DSM Update tool, to close the hole used by SynoLocker, before restoring external connectivity.

28 Comments

Discuss in the forums Reply
andrew8200m 5th August 2014, 10:35 Quote
I feel sorry for anyone with a Synology but for other reasons quite happy about this. Its good to see a peg being plucked from beneath a large company like this. The crash to reality to improve customer relations that will follow will hopefully be what is needed. The breach leading to a financial implication is a bit crap though.. These ransom like virus need die a death already
azazel1024 5th August 2014, 14:39 Quote
I don't have a Synology NAS, but from everything I understand, Synology is very good about support and customer relations.

So I don't know why you are "quite happy" about this. It is apparently an unknown vulnerability, not something they've known about and ignored. This is unlike wifi routers where most manufacturers let known vulnerabilities exist for ages, because they provide very little aftermarket support for their products. Synology is very good about supporting their products for years after sales.
wolfticket 5th August 2014, 14:51 Quote
Quote:
Originally Posted by andrew8200m
I feel sorry for anyone with a Synology but for other reasons quite happy about this. Its good to see a peg being plucked from beneath a large company like this. The crash to reality to improve customer relations that will follow will hopefully be what is needed. The breach leading to a financial implication is a bit crap though.. These ransom like virus need die a death already
Some criminal finds an unknown exploit in the system of what actually seems like a pretty decent company, uses it in order to attack their customers data and blackmail their users, and you're "quite happy about this". Jeez

It's like seeing a car crash and saying you're quite happy it happened because it will ultimately improve car safety.
runadumb 5th August 2014, 15:03 Quote
Syslogys support is great. They helped me rebuild a lost drive remotely a whiles back.

People used to try and remote access my NAS all the time. I doubt it'll help with the vulnerability but I set a very strong password and blocked ip's after 2 failed login attempts.
My NAS is currently switched off. I only use it for 1 specific purpose anyway.
Gareth Halfacree 5th August 2014, 15:07 Quote
Quote:
Originally Posted by runadumb
People used to try and remote access my NAS all the time. I doubt it'll help with the vulnerability but I set a very strong password and blocked ip's after 2 failed login attempts.
My home server has SSH exposed to the 'net on the standard port. You wouldn't believe how many brute-force login attempts I get each day. Thankfully, barring any serious holes in the software, it's unlikely anyone's getting in: I use fail2ban to block brute-force attempts at the firewall, logins require a keypair rather than a password, and any login not from a trusted IP address requires two-factor authentication. I also have watchdog daemons running, just in case there is a zero-day in the SSH server, alerting me to unusual activity. Paranoid? Perhaps. Safe from things like CryptoLocker and its variants? Oh, yes.

Then, of course, there's the multiple-redundant off-site backups...
Margo Baggins 5th August 2014, 15:11 Quote
Quote:
Originally Posted by Gareth Halfacree
My home server has SSH exposed to the 'net on the standard port. You wouldn't believe how many brute-force login attempts I get each day. Thankfully, barring any serious holes in the software, it's unlikely anyone's getting in: I use fail2ban to block brute-force attempts at the firewall, logins require a keypair rather than a password, and any login not from a trusted IP address requires two-factor authentication. I also have watchdog daemons running, just in case there is a zero-day in the SSH server, alerting me to unusual activity. Paranoid? Perhaps. Safe from things like CryptoLocker and its variants? Oh, yes.

Then, of course, there's the multiple-redundant off-site backups...

It's a lot of fun doing cat /var/logs/messages when there has been lots of brute force attempts though. hope you got big buffers :D
Gareth Halfacree 5th August 2014, 15:22 Quote
Quote:
Originally Posted by Margo Baggins
It's a lot of fun doing cat /var/logs/messages when there has been lots of brute force attempts though.
Less so with fail2ban; each IP only gets five entries before they're blocked...
Margo Baggins 5th August 2014, 15:47 Quote
Quote:
Originally Posted by Gareth Halfacree
Less so with fail2ban; each IP only gets five entries before they're blocked...

I didn't know it was a thing, though looking at it now it seems like a great thing. I will speak to some of my clients who's webservers I look after about implementing that, as there are a few that get brute force on their ssh ports ALL the time. (not literally all the time, but it's quite a thing for them.). Thanks for the top tip linux man :)
Gareth Halfacree 5th August 2014, 15:55 Quote
Quote:
Originally Posted by Margo Baggins
I didn't know it was a thing, though looking at it now it seems like a great thing. I will speak to some of my clients who's webservers I look after about implementing that, as there are a few that get brute force on their ssh ports ALL the time. (not literally all the time, but it's quite a thing for them.). Thanks for the top tip linux man :)
You can do the same thing with iptables directly, but fail2ban is so incredibly easy - and can be extended to protect other services, too. Also check out Duo Security - that's the two-factor authentication service I use, and it's free for fewer than ten users (and cheap for more than ten). Works like a charm - and as well as protecting SSH it has plugins for WordPress, most common VPNs, and a bunch of other stuff, as well as an API you can access to use it with bespoke systems if you pay for the (still surprisingly cheap) enterprise account.
dark_avenger 6th August 2014, 01:54 Quote
Quote:
Originally Posted by Gareth Halfacree
You can do the same thing with iptables directly, but fail2ban is so incredibly easy - and can be extended to protect other services, too. Also check out Duo Security - that's the two-factor authentication service I use, and it's free for fewer than ten users (and cheap for more than ten). Works like a charm - and as well as protecting SSH it has plugins for WordPress, most common VPNs, and a bunch of other stuff, as well as an API you can access to use it with bespoke systems if you pay for the (still surprisingly cheap) enterprise account.

I currently use a obscure port which stopped the brute force attempts but the fail2ban and Duo Security look good as well.

Thanks for sharing :) ;)
theshadow2001 11th August 2014, 00:05 Quote
Quote:
Originally Posted by Gareth Halfacree
My home server has SSH exposed to the 'net on the standard port. You wouldn't believe how many brute-force login attempts I get each day. Thankfully, barring any serious holes in the software, it's unlikely anyone's getting in: I use fail2ban to block brute-force attempts at the firewall, logins require a keypair rather than a password, and any login not from a trusted IP address requires two-factor authentication. I also have watchdog daemons running, just in case there is a zero-day in the SSH server, alerting me to unusual activity. Paranoid? Perhaps. Safe from things like CryptoLocker and its variants? Oh, yes.

Then, of course, there's the multiple-redundant off-site backups...

I'd love to see a guide based around your setup Gareth. Perhaps bit-tech would buy it as a feature article?
Gareth Halfacree 11th August 2014, 11:26 Quote
Quote:
Originally Posted by theshadow2001
I'd love to see a guide based around your setup Gareth. Perhaps bit-tech would buy it as a feature article?
I'll pitch it to the powers that be - although its Linux focus means it's a bit niche for a site like Bit. That said, editors that normally wouldn't touch Linux with the proverbial ten-foot pole go ga-ga if you s/Linux/the Raspberry Pi/g...
Margo Baggins 11th August 2014, 11:41 Quote
Quote:
Originally Posted by Gareth Halfacree
I'll pitch it to the powers that be - although its Linux focus means it's a bit niche for a site like Bit. That said, editors that normally wouldn't touch Linux with the proverbial ten-foot pole go ga-ga if you s/Linux/the Raspberry Pi/g...

Do it unofficial in the software section :) Would float my boat!
faugusztin 11th August 2014, 12:19 Quote
Quote:
Originally Posted by theshadow2001
I'd love to see a guide based around your setup Gareth. Perhaps bit-tech would buy it as a feature article?

There are million various backup schemes and strategies.

My personal backup scheme is - install a rsync server on every OS i want to backup (for Windows i use Cygwin with cygrunsvr, rsync server). Then i have my local server, that runs rsnapshot which does backup via rsync. Then my remote server at completely different location does a daily rsnapshot against my daily.0 folder on the local server. You could of course extend this to any length or number of computers as you wish.

And why rsnapshot ? Because it is something inbetween the incremental and full backups - if there is a previous backup, then the previous backup is rolled from hourly.0 to hourly.1 (and every folder with higher number in same category is rolled to a higher number, the oldest one is of course removed), new hourly.0 folder is created, all files from the old folder are copied over as hard links (so no extra disk space is used up) and then new or modified files replace the copied over files. With every backup, the cycle is repeated, and every time only the space requirement increases for new & modified files only. You can set up your own rotation scheme (i have a backup every hour, then every day, every week of a month, every month for last 12 months on my main server). That means i will have hourly.0-23 folders, daily.0-7, weekly.0-3, monthly.0-11 folders.

For example 5 daily backups of 29GB data on my remote backup site use 36GB in total. 24 hourly and 7 daily backups on my main server ? 53GB.
Gareth Halfacree 11th August 2014, 12:27 Quote
Quote:
Originally Posted by faugusztin
There are million various backup schemes and strategies.
I think they're specifically after the security aspect, not the backup aspect.
theshadow2001 11th August 2014, 18:38 Quote
Quote:
Originally Posted by Gareth Halfacree
That said, editors that normally wouldn't touch Linux with the proverbial ten-foot pole go ga-ga if you s/Linux/the Raspberry Pi/g...
No surprises there. The internet has a raging nerd-on for pi's.
Quote:
Originally Posted by Gareth Halfacree
I think they're specifically after the security aspect, not the backup aspect.

Indeed I am. But the backup stuff is all gravy too.
RedFlames 11th August 2014, 18:39 Quote
Quote:
Originally Posted by Gareth Halfacree
I think they're specifically after the security aspect, not the backup aspect.

I'd be interested in both tbh...
littlepuppi 11th August 2014, 22:25 Quote
Have been half expecting this in the netapp space for a while now.... Shows the vulnerabilities of centralised mass storage
mitch311 19th August 2014, 10:42 Quote
I must say this news has me slightly worried. Could anyone's Synology NAS be targeted or is it like other viruses where you need to do something stupid first (dodgy sites etc)? I have been toying with replacing my NAS with a linux server and this kind of thing just wants me to push my timetable forward.

As an additional note I must say that Synology has started getting their act together a bit. I have started getting security related emails from them recently about updates and patches.
Gareth Halfacree 19th August 2014, 10:55 Quote
Quote:
Originally Posted by mitch311
I must say this news has me slightly worried. Could anyone's Synology NAS be targeted or is it like other viruses where you need to do something stupid first (dodgy sites etc)? I have been toying with replacing my NAS with a linux server and this kind of thing just wants me to push my timetable forward.
First, to clarify: the Synology DiskStation Manager (DSM) software that drives its various NAS models is Linux. You already have a Linux server; just one that comes preconfigured for a certain task and with non-standard software (the web-based user interface) installed.

To the meat of the question: the only stupid thing you have to do is to open the management port to the internet by port-forwarding (or UPnP) on your router, which is the official way you get access to your files from outside your home. That, coupled with not having installed the security patch from December, is enough to get yourself infected. It's a remote code execution vulnerability; no user interaction required. You don't need to visit any sites, download any software, or install anything on the NAS itself; if the port is forwarded and December's security update isn't installed, then SynoLocker will find it and infect it.

Such is the price we pay for convenience, sadly. I can only access my NAS using SSH, and then only from pre-approved systems that have a private key matching public keys stored on the server itself. Not as convenient as Synology's software, but very secure.
wuyanxu 19th August 2014, 11:41 Quote
I must say I did have the Synology management HTTPS port 5001 forwarded, but I've kept the system up to date so I was lucky enough to avoid it.

For just as convenient access to your files, use VPN server provided in the package centre. You can also use DS Files app and open WebDAV to access your files without going VPN route.

I had replaced my Synology with a Windows Home Server HP box, but was never happy with its configuration, so I went back to Synology in the end.
mitch311 19th August 2014, 16:33 Quote
Quote:
Originally Posted by Gareth Halfacree
First, to clarify: the Synology DiskStation Manager (DSM) software that drives its various NAS models is Linux. You already have a Linux server; just one that comes preconfigured for a certain task and with non-standard software (the web-based user interface) installed.

To the meat of the question: the only stupid thing you have to do is to open the management port to the internet by port-forwarding (or UPnP) on your router, which is the official way you get access to your files from outside your home. That, coupled with not having installed the security patch from December, is enough to get yourself infected. It's a remote code execution vulnerability; no user interaction required. You don't need to visit any sites, download any software, or install anything on the NAS itself; if the port is forwarded and December's security update isn't installed, then SynoLocker will find it and infect it.

Such is the price we pay for convenience, sadly. I can only access my NAS using SSH, and then only from pre-approved systems that have a private key matching public keys stored on the server itself. Not as convenient as Synology's software, but very secure.

Thank you for the clarification Gareth. I have DSM5 up to date but had an email a few weeks ago about a manual patch that I haven't got round to installing so I'll be doing that asap.

One thing I played about with previously was the QuickConnect thing that lets you access files on your phone using the free apps. Needless to say I couldn't get it to work but this has me worried that I've left my NAS visible to others. I shall have to spend some time sorting this out.
theshadow2001 20th August 2014, 13:19 Quote
Quote:
Originally Posted by Gareth Halfacree
First, to clarify: the Synology DiskStation Manager (DSM) software that drives its various NAS models is Linux. You already have a Linux server; just one that comes preconfigured for a certain task and with non-standard software (the web-based user interface) installed.

To the meat of the question: the only stupid thing you have to do is to open the management port to the internet by port-forwarding (or UPnP) on your router, which is the official way you get access to your files from outside your home. That, coupled with not having installed the security patch from December, is enough to get yourself infected. It's a remote code execution vulnerability; no user interaction required. You don't need to visit any sites, download any software, or install anything on the NAS itself; if the port is forwarded and December's security update isn't installed, then SynoLocker will find it and infect it.

Such is the price we pay for convenience, sadly. I can only access my NAS using SSH, and then only from pre-approved systems that have a private key matching public keys stored on the server itself. Not as convenient as Synology's software, but very secure.

The question remains if SDM is a Linux based system. How was any code allowed to be executed without root?
Even if they have plugged one hole chances are there could well be another.
Gareth Halfacree 20th August 2014, 14:02 Quote
Quote:
Originally Posted by theshadow2001
The question remains if SDM is a Linux based system. How was any code allowed to be executed without root?
You don't need to be root to run software, otherwise you'd never be able to open a web browser or play a game. You should need to be root (or have root privileges) to make system-wide changes, but again we're looking at a trade-off of security for convenience: you have to be able to manage the system through the system management interface, otherwise it'd have no purpose. Got a hole in the system management interface? The attacker can manage the system, just like you can. In this case, "manage" being "disable access to the management console and begin encrypting all the files."
Quote:
Originally Posted by theshadow2001
Even if they have plugged one hole chances are there could well be another.
Welcome to modern software: code these days is far too complex to be without error. You just have to hope the good guys spot the flaws and fix 'em before the bad guys spot the flaws and exploit 'em. No operating system is immune.
theshadow2001 20th August 2014, 19:57 Quote
Quote:
Originally Posted by Gareth Halfacree
You don't need to be root to run software,
A very tired shadow + tapatalk + a phone = not a chance of me posting to the required Bit-tech level of pedanticism. We both know what I meant.
Quote:
Originally Posted by Gareth Halfacree

but again we're looking at a trade-off of security for convenience: you have to be able to manage the system through the system management interface, otherwise it'd have no purpose. Got a hole in the system management interface? The attacker can manage the system, just like you can. In this case, "manage" being "disable access to the management console and begin encrypting all the files."
I suppose so, it just seems silly to build a linux based system and ignore all those well established security features. Why not a nice user friendly interface to an actual linux system with all its secuirty goodness left intact.
Quote:
Originally Posted by Gareth Halfacree

Welcome to modern software: code these days is far too complex to be without error. You just have to hope the good guys spot the flaws and fix 'em before the bad guys spot the flaws and exploit 'em. No operating system is immune.
In a round about way, what I was saying is that you might be better of just setting up something yourself on a more established less customised system. Like open-media vault and some old or low power gear.
Gareth Halfacree 21st August 2014, 10:32 Quote
Quote:
Originally Posted by theshadow2001
A very tired shadow + tapatalk + a phone = not a chance of me posting to the required Bit-tech level of pedanticism. We both know what I meant.
You might have known what you meant, but a Linux n00b coming to this thread would have been confused - hence the clarification. No offence was meant!
Quote:
Originally Posted by theshadow2001
I suppose so, it just seems silly to build a linux based system and ignore all those well established security features. Why not a nice user friendly interface to an actual linux system with all its secuirty goodness left intact.
What security goodness? Linux is, at its heart, no more or less secure than any other operating system - well, now that Windows has got out of the habit of defaulting all users to administrative privileges, anyway. If there's a security hole in a piece of software that runs with root privileges, then an attacker exploiting that hole will get root privileges.

Let's say that Synology changed its software to run as an unprivileged user with no access to anything. Secure, but useless: an attacker can't get at your files, but neither can you. So, you have to expand its permissions to include the ability to read and write the files, right? Boom: if an attacker exploits a security hole, like SynoLocker does, the code he or she runs also has access to read and write the files. There's nothing in Linux or any other operating system that can prevent this: if the attacker has your privileges, he or she can do anything you can do - up to and included encrypting all your files with a key you don't know.
Quote:
Originally Posted by theshadow2001
In a round about way, what I was saying is that you might be better of just setting up something yourself on a more established less customised system. Like open-media vault and some old or low power gear.
OpenMediaVault is very similar to DSM - a friendly interface to a preconfigured appliance image. It, too, could easily fall victim to security flaws just like SynoLocker; it may, however, be more secure due to its lower popularity. Synology has a big user base of people who have paid real cash money for their NAS many of whom may not be the most technically minded, a tempting target pool for attackers; OpenMediaVault - and other similar projects - have a smaller user base most of whom are technically minded by dint of having decided to build-their-own instead of buying COTS, a far less tempting target.

There's the option of roll-your-own entirely, but a little knowledge can be a dangerous thing: knowing enough to set up a Linux server is one thing; knowing enough to keep a Linux server secure is something quite different.
theshadow2001 21st August 2014, 22:24 Quote
Quote:
Originally Posted by Gareth Halfacree

What security goodness?

Oh you know, the natural permissions structure, the fact that files aren't executable by default little things like that.
Quote:
Originally Posted by Gareth Halfacree

Let's say that Synology changed its software to run as an unprivileged user with no access to anything. Secure, but useless: an attacker can't get at your files, but neither can you. So, you have to expand its permissions to include the ability to read and write the files, right? Boom: if an attacker exploits a security hole, like SynoLocker does, the code he or she runs also has access to read and write the files. There's nothing in Linux or any other operating system that can prevent this: if the attacker has your privileges, he or she can do anything you can do - up to and included encrypting all your files with a key you don't know.

Ok but lets say Synology changed there software so that you can do your normal file interaction with the NAS storage folders, but you can't do things like modify the operating system files, install new software or encrypt stuff without a higher user level, the level of some kind of super user. Who's login is only temporary whilst carrying out those tasks.
Quote:
Originally Posted by Gareth Halfacree

OpenMediaVault is very similar to DSM - a friendly interface to a preconfigured appliance image. It, too, could easily fall victim to security flaws just like SynoLocker; it may, however, be more secure due to its lower popularity. Synology has a big user base of people who have paid real cash money for their NAS many of whom may not be the most technically minded, a tempting target pool for attackers; OpenMediaVault - and other similar projects - have a smaller user base most of whom are technically minded by dint of having decided to build-their-own instead of buying COTS, a far less tempting target.
Quite possibly, maybe sometimes obscurity is security.

Quote:
Originally Posted by Gareth Halfacree

There's the option of roll-your-own entirely, but a little knowledge can be a dangerous thing: knowing enough to set up a Linux server is one thing; knowing enough to keep a Linux server secure is something quite different.
True, if only there was some sort of guide that might tell us how to secure access to things like this....:D
Gareth Halfacree 22nd August 2014, 08:42 Quote
Quote:
Originally Posted by theshadow2001
Oh you know, the natural permissions structure, the fact that files aren't executable by default little things like that.
You wouldn't need to execute anything to do a SynoLocker-style attack: just bypass the login requirement. Even if the attacker needed to drop an executable, they're logged in as you - which means they need only chmod +x and their file is now an executable. And, again, permissions won't help: anything that would stop the attacker doing something would also stop you doing that same thing.
Quote:
Originally Posted by theshadow2001
Ok but lets say Synology changed there software so that you can do your normal file interaction with the NAS storage folders, but you can't do things like modify the operating system files, install new software or encrypt stuff without a higher user level, the level of some kind of super user. Who's login is only temporary whilst carrying out those tasks.
But there would have to be some way for you to switch to the temporary super-user account in order to perform these tasks, right? So, if the attacker is logged in as you through a security hole, he or she can also switch to the temporary super-user account. See the problem?
Quote:
Originally Posted by theshadow2001
True, if only there was some sort of guide that might tell us how to secure access to things like this....:D
Hah! I'm far from an expert, although - touch wood - I've not been got yet.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums