Jump to content
XPEnology Community

SynoLocker Ransomware Affecting DSM 4.3-3810


waspsoton

Recommended Posts

Further info here:

 

http://www.theregister.co.uk/2014/08/05 ... y_attacks/

 

Although according to the comments it's been patched?

 

I'll ask the same questions on here as I have on theregister:

 

I disabled the admin account and created a new one.

I have SSH turned off.

I have SSL turned on and auto-redirected.

I have auto-block IP on 2 password fuck-ups.

 

Am I doing everything I should to keep safe?

 

hackers do not necessary need to try your admin password, once the hackers identified your device is synology NAS, and have some security vulnerabilities that haven't been fixed, it is possible hackers can remote access your nas as root user

 

- disable port forwards 5000, 50001 ... ports

- stop using synology free DDNS, synology domain is unsafe

 

On further reading today (fuck work, who needs work?) it looks like I'm safe as running the latest Nanoboot. Still, taken it off the internet for the time being.

 

Isn't Nanoboot using a legacy bootloader or something to get around the Syno protection? So is it possible even on DSM 5 the rest of us could be a target?

Link to comment
Share on other sites

Fresh news about the issue coming from Synology forums:

 

--------------------

The AnandTech article was updated a bit ago:

 

http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware

 

"Synology has finished analyzing the exploit and confirmed which versions of DSM are vulnerable. The vulnerability in question was patched out of DSM in December of 2013, so only servers running significantly out of date versions of DSM appear to be affected.

 

In summary, DSM 5.0 is not vulnerable. Meanwhile DSM 4.x versions that predate the vulnerability fix – anything prior to 4.3-3827, 4.2.3243, or 4.0-2259 – are vulnerable to SynoLocker. For those systems that are running out of date DSM versions and have not been infected, then updating to the latest DSM version should close the hole.

 

As for systems that have been infected, Synology is still suggesting that owners shut down the device and contact the company for direct support."

 

-------------------

 

So it seems the issues only affects non "updated" 4.x versions... :grin: good news

Link to comment
Share on other sites

Thank god its not effecting DSM 5. At least this has caused be to review my security settings on my NAS's. I will get my last 4.3 box updated soon, for now I have removed web/https access from the internet.

 

Useless mate! But good choice.

My suggestion is to block 5000 5001 ports in your firewall/cancel port forwards.

It's enough that the system is pingable on the internet the exploit just gets root permissions for the attacker and everything is installed automatically.

Link to comment
Share on other sites

Thank god its not effecting DSM 5. At least this has caused be to review my security settings on my NAS's. I will get my last 4.3 box updated soon, for now I have removed web/https access from the internet.

 

Useless mate! But good choice.

My suggestion is to block 5000 5001 ports in your firewall/cancel port forwards.

It's enough that the system is pingable on the internet the exploit just gets root permissions for the attacker and everything is installed automatically.

 

I have set DSM to use non default ports for HTTPS web admin access and disabled unencrypted access. Also blocked port 80 as if you visit that with it not blocked it will just re-direct the user to the web admin page with the hidden port. Of course the port is not that hidden and can just be port scanned but changing things from non-default ports is always a good step.

 

I have a few DSM systems in datacenters that use internet facing IP so I cant block them in firewall. I am just using the DSM inbuilt firewall. Only services I need are allowed thru the firewall.

Link to comment
Share on other sites

well i am now all back up and running. i have one questions>>>

1. can i upgrade to 5 without loosing my data

 

Yes! Guys, for the God's sake, "Read The Fuckin Manual!". There are sooo many threads and posts in this regard that apparently no newbie is reading. Everyone is asking again and again the same thing. Sad.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...