[ALERT] SynoLock hack affecting Synology DSM 4.3

[thiggins]

Posting this information from Synology

As of Sunday 3 August 2014, Synology DSM is undergoing a CryptoLocker hack called SynoLock. It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350).

So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base
​

 

[stevech]

Geesh!
http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

several people talking about a custom version of cryptLock targeting synology NASes.

I'm not affected and won't be, because (a) my router port forwarding to permit remote access to the NAS has been/still is off; (b) I have the latest version of DSM 4.3- installed some time ago.
Don't know what vulnerability the evil doers are using to get in, but I'd hope that if you must have remote access, using a securty cert. and SSL would protect you.

CryptLocker is about ransom $ to decrypt. Or not.
So I would expect them to go after any product with substantial quantities out there.

 

[JoeJoe]

Is there a reason not to update the firmware to the latest version?

 

[thiggins]

Official Synology release on SynoLocker

Synology® Continues to Encourage Users to Update
Washington, Bellevue—August 5th, 2014 —We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php:

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

• A process called “synosync” is running in Resource Monitor.
• DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

 

[stevech]

Is there a reason not to update the firmware to the latest version?

I did, to, DSM 4.3-3827 about a month ago. A little tricky to find that download. One way is to tell DSM updates to use only important updates so it won't throw you to DSM5. This gets you to -3827.
I've elected to delay going to DSM 5 for many months.
But ultimately, closing the ports on the router until the dust settles is, I think, advised.

 

[stevech]

Synology said, as often we hear, the vulnerability is in NAS software's VPN if the NAS owner hasn't updated since late 2013.

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/support/support_form.php.

-When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
-A process called “synosync” is running in Resource Monitor.
-DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
-For DSM 4.3, please install DSM 4.3-3827 or later
-For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
-For DSM 4.0, please install DSM 4.0-2259 or later

DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.

If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.

Apologies for any problems or inconvenience caused. We will keep you updated with latest information as we address this issue.

Jeremie
Synology Inc
Synology Inc

 

[JoeJoe]

This is really bad for Synology. I hope things work out for them as a company, plus the users.

I feel that QNAP (I own several) and Synology rethink how easy it is to enable port forwarding on the NAS systems and the routers via upnp. I know when trying to enable the qnap cloud, they automatically enable ALL service ports, ALL of them. This is so wrong.

QNAP also enables OpenVPN and PPTP by default when enabling myqnapcloud for zero reason, as most people don't know what a vpn is, and aren't required to use the cloud feature.

 

[stevech]

I'm not sure, but I think the vulnerability was VPN access by hacking the SSL with the recently infamous Heartbleed flaw.

OpenVMS was probably used in most NASes and thus they were all vulnerable, I'd estimate. Synology says that was fixed in December 2013 but too many people don't update their firmware.

If I were QNAP or other vendor, I would not brag about not being victimized, for obvious reasons.

It's getting terribly ugly to have anything on the Internet that allows unsolicited incoming traffic.

I have two factor authentication for some of my financial host servers (bank, broker). Hard token. I'm beginning to not trust soft tokens (SMS over cellular).