
"Synology email always has the “synology.com” address suffix. "
Whew! Just as well this is impossible to fake. all hail the Synology security experts.
Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them. The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended …
This post has been deleted by its author
This post has been deleted by its author
Actually, I can't really call them on the carpet for that one, mate.
If affected, you're screwed. Your data's gone and you either pay the ransom or pray for backups. In that case, the fact that the advice is "switch it off and calling Synology" is - to my mind - exactly the right response.
This means that they will give each user a walk through their options one by one. It also means that if the user chooses to simply nuke out the OS, restore and start fresh by blanking the drives then Synology will help them do so.
Beyond that, I'm honestly not 100% sure what Synology can do. Offer to pay the ransom for you? I'm pretty sure that's actually illegal.
If they knew how to crack the thing and get you your files back should they be posting that on the internet for all to see? Or should they walk you through it on the phone where there's at least a chance that the minor obscurity will prevent the bad guys form figuring out that their operating version is done for?
Honestly, if you've any better advice at all for any of it, ping me and I'll make sure it gets in front of the right people at Synology.
As regards "how this could be prevented in the future", keep an eye out for a sysadmin blog in a few hours. That one has already been written, and Synology's brass sent a scathing hot piece of my mind besides. I have a face-to-face with these folks in a few weeks, and there will be beating about the ears, I promise you all.
"Honestly, if you've any better advice at all for any of it, ping me and I'll make sure it gets in front of the right people at Synology."
A minor point in the grand scheme of things but these two seem bass acwards to me:
B. Update DSM to the latest version
C. Backup your data as soon as possible
Don't forget to pack your cluebat for that meeting.
http://gallery.gosi.at/d/7818-2/cluebat.jpg
Okay, I do get the quibble about "backup first, then upgrade the DSM"...sort of. In the many years I've owned Synology Diskstations I've never had a DSM update go sideways on me. To be perfectly honest, I trust hte DSM update process enough, I'm not sure a special "out of band" backup would have even occurred to me. (I do have automated end of night backups, natch.)
But I'll make sure to pass along your advice all the same, because it is right and proper that they pay attention to the order of that.
Absolutely. Please go to the Synology Download Center and download the update or new version of DSM for your device. You'll be able to log into your Distation or Rackstation locally and then go into "Start --> Control panel --> Update and restore (which is under "system")". Here you'll be able to feed it the file you downloaded.
I've done the above many times. It's safe and works well.
Latest update is that they've killed QuickConnect and Synology DDNS access to devices that are vulnerable - not much they can do about those who have rolled their own access though, other than hope they're paying attention to the tech press, or are actually doing security updates.
http://www.synology.com/en-us/company/news/article/470
"Actually, I can't really call them on the carpet for that one, mate."
I'm not criticising the advice for when the machine is boned - you're right, they have very little they can add at this stage - I'm criticising the lack of advice for non-infected users. They could at the very least have given the same preventative advice that you've given in the article which so far they seem to have failed to do?
They're putting together a complete PR campaign around this. Their PR guy is horribly overworked, and he has been reaching out to tech journalists around the world on this. My article - and others like it - are the first line of their efforts to reach customers.
I suspect an e-mail blast is being prepared, though I personally think that should have been done about 10 minutes after learning this was an issue. Still; I do know that they will be issuing most (if not all) of the advice I wrote in this article, probably later today.
We'll see over time how the response shapes up, and I'll work with their PR guys - and hopefully their brass - to make sure they do better next time. People's files are being encrypted. Who knows how many memories are being lost. It's the least I can do.
The second piece has been published, for those curious.
I have (sorry, had) more than one Synology server in different locations precisely for the purpose of having redundant backup and high availability. Everything offsite is now powered down. Onsite I've yanked the CAT6 until I sort the ports out.
There is a lot at stake for Synology as a company in terms of how quickly they a) communicate this to customers (I found out from El Reg, not Synology), and b) how fast they patch DSM 5 and 4.*. They will need to re-gain trust. Ideally an independent audit of their DSM software. But even simple measures like allowing users to easily change standard ports (and by "easily", I mean in the GUI) would be a help right now.
As I start thinking about how to improve my resilience, buying more Synology kit isn't exactly top of the list. If they'd put half the effort spend on the "pretty" new GUI for DSM5 into improving security then we probably wouldn't have this problem.
I have USB hard drive backups of most data. The rest are in Amazon Glacier. If I have to pull data out off Glacier because of this then Synology can expect to receive the bill.
Good. However, it didn't show in my Facebook news feed. So perhaps more channels of communication wouldn't hurt. It's not like they don't have our addresses. This is urgent. The quicker people know, the more data will be saved.
BTW I'm not sure why you've inferred I don't like facebook/twitter - I use them both. And indeed have used them this morning to alert more people. They play a part in the dissemination of info, but Synology could go further.
This post has been deleted by its author
Great, Awesome.....What? Wait that's a partial fail!
What about those of us that do not use Facebook or Twitter or other social media?
I'm in with the call that an email out to all registered users (in the same vein as when an update is released), would have been far more effective for me.
most competent companies post their OWN facebook/twitter feed on their OWN website. That way since the *actual* place we all check for security information is $COMPANY, if there is a warning everyone will see it.
Seriously, I don't have one of these NAS's. I rolled my own (HP uServer), but this morning I double checked the backup plan and firewall if for no reason, that this reminded me how precarious data is...
P.
Edit the firewall on your router, not your Synology NAS. Your Synology NAS should never be plugged directly into the internet. There should always be a router in between. If you have any questions whatsoever, contact Synology immediately, and they'll walk you through locking this down.
Edit: others go there first. :)
Don't forget the DMZ of your router, in case you threw it in there to try to see how far you could throw the streaming functionality, or whatever it was I....er....someone I know, was trying to do that I...er, he, can't remember now.
*cough*
*disables DMZ host, kills ports*
Mind you I'm running a draytek VPN over fibre, so VPN performance is perfectly good for getting access to files etc. I think I might keep it that way for a while till a confirmed fix is published.
Steven R
Compounding the problem is that Synology routinely issues DSM update notices, but then fails to post the latest updates on their support site. Their Support is reasonable fast and sends links in response to complaints, but Synology's release process seems broken. They *really* need to get their act together.
The main reason I gave up on my QNAP and went back to building my own linux boxes was due to a) foot-dragging getting security updates out and b) poor QA on their feature-and-security releases.
That said, all of this "let's expose the NAS to the outside world" nonsense needs to stop; the official instructions normally just say "either turn on UPnP and get it all done automagically, or just forward ports 22, 80, blah blah" - all a massive security risk that the user needs to be made explicitly aware of. Given that these are just linux distros I've no idea why they don't integrate a simple VPN (e.g. OpenVPN which AFAICT has a VPN client for pretty much every device out there) better into this process.
I had a friend with the same QNAP as me, opened his meeja-sharin' web pages to the world, vuln in the web server and got his box rooted enough to be banned by the ISP for spamming. But at least it earnt me a crate of beer for extracting his data from the array before we blew away the discs and the DOM. He too was an IT professional but viewed his NAS as an "appliance" with the blinkered view that appliances don't require regular maintenance and diligence like everything else does.
Fortunately I don't require remote access to my NAS, so when I first powered on my new Syno a few weeks back and it asked me if I wanted to connect to t'interwebs I politely declined. OK I probably said something along the lines of "fuck no!".
Though you hit the nail on the head in that such devices are now seen as appliances and they will quite happily run off and do strange things to your router via UPnP if you let them. We IT pros know this sort of thing, but Joe Public doesn't. It does worry me that with all the hype about The Internet Of Things and a bit of IPv6 then it's only a matter of time before fridges, toasters and the like are subverted...
"think they will ask for it in bitcoins - will be harder to track down"
Nonsense! Per the Bitcoin advocates everything is just fine and crooks refuse to use Bitcoins at all.
Was told about this by a client this morning who heard about it from someone who got owned.
So far, secured 7 devices today and doing another one tonight. The rest of devices have been powered down until I go over and secure them.
All told, we are talking about 130+TB of data (3 of the units with large RackStations).
I manage around 50 devices from a few manufacturers - this is by far the worst issue Iv'e come across in 7 years and managing NAS devices.
To make matters worse, alot of the distributors in countries were not told by Synology of the issue.
Al in all, a scary day for my clients. Will need to see how Synology respond before recommending any more kit...
"To make matters worse, alot of the distributors in countries were not told by Synology of the issue."
Synology aren't even telling their users. You'd only know if you happen to come across a news article, FB/twitter post or browse their forums. Should be an email gone out instantly and with the latest update advice to all users.
I only have one port open to the Internet on mine....OpenVPN. Even then, you cannot use the admin account for anything on that system and the other services running on it are kept to a minimum (even though they're only available to my Class D network).
But Joe Average finds that too hard and click-click-click too easy. Heck, the NAS will also try to open the ports on the route to provide access directly to the device.
It's like NoScript - the experts are protected but everyone else is SOL....! Synology is not alone here....make something easy for people who can't do something and it'll eventually go wrong.
This post has been deleted by its author
Updated post on synology's facebook page:
Synology Continues to Encourage Users to Update
Thank you for your patience as we continue to investigate the ransomware "SynoLocker" which is currently affecting certain Synology NAS users.
We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. We HIGHLY encourage our users to update their DSM.
Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM.
Please take a look at our official statement with more information here: http://bit.ly/1oypNfE
We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we continue to address this issue.
If I don't run any outgoing services - just the Download Station - am I safe ?? If not, what must I do ? (there is a DNS server in there too ...). I am behind several "layers of NAT", (because that's how ISPs do their thing here) and I don't have a fixed IP address ... Thanks in advance and excuse me if I'm missing something ..
If your Synology doesn't have ports open to the net, you should be safe. But do run updates on the thing anyways. If your computer were ever infected in the future, and your Synology was left unpatched, it could be pwned at that point. Updating now will patch the hole.
They are just incompetent.
Somewhere along the way they 'broke;' the ability to manually download updates and then upload to the disk-stations, these idiots REQUIRE the device to be connected to a router/switch that exposes it to the internet.
Then they introduced their STUPID update system with partial updates, which again can ONLY be installed by connecting the system to the internet.