
My Synology NAS has been hacked by ransomware calling itself Synolocker - hjuutilainen
https://twitter.com/MikeEvangelist/status/495970097497128960
======
clebio
Wow, so this article was impetus enough for me to get key-based SSH working
correctly on my Synology.

Of curiousity, I looked in my Synology's GUI for the logs, and find you can
export them to CSV (System Logs > Connections).

I have _a lot_ of this sort:

    
    
        Warning,Connection,2014/08/03 21:10:17,SYSTEM,User [root] from [111.74.239.52] failed to log in via [SSH] due to authorization failure.
    

Curious how many distinct IPs, cut/grep/sed/sort:

    
    
      cut -d ' ' -f 5 ~/Downloads/connection.csv  | grep -E '[0-9.]+' | sed 's/\[//' | sed 's/\]//' | sort -u | wc
    

There are 143 distinct IPs, in the 111.x.y.z, 202, 210, 222, etc. ranges:

    
    
      ...  cut -d '.' -f -2 | sort -u
      111.74
      115.230
      115.239
      ...
      220.177
      222.186
      222.187
    

I punched a few into
([http://www.whereisip.net/index.php](http://www.whereisip.net/index.php)) and
they're mostly in China (except a 23.9... in Rochester, NY). All the
successful log-ins are from myself, at least ( grep 'logged in' ...).

~~~
tehaugmenter
Change the port your SSH is on to something other than 22.

~~~
clebio
Does obfuscation help with security? Or does it at least help with
identification in some way?

------
CamperBob2
I made the mistake of leaving a copy of my wallet.dat file on a Synology box
that had port 5000 open to the net for the Surveillance Station app.

Pro tip: don't do that.

~~~
xorcist
Stop teasing us! How much was in there?

~~~
CamperBob2
Enough to get my attention (bigtime), but not enough to hurt.

------
archagon
A year or so ago, my Synology NAS got hacked by a Bitcoin mining virus. I only
discovered it because a tech blogger tweeted about it and I happened to see
it. My Synology was out of date and the virus must have exploited a
vulnerability without any action on my part. Without knowing what to look for,
the virus was effectively invisible. Given that I'm probably in the top 1% of
tech savvy people, imagine how many others must have gotten infected! (I
contacted Synology tech support and suggested that they send out an e-mail to
their users, but they never responded.)

Unfortunately, last I checked, it's still impossible to have a Synology NAS
automatically update itself.

~~~
m_t
That was a kinda "funny" virus. I got it too. How did I find about it? The
fans kept spinning. Usually my syno is really quiet, you can only hear the
drives. But that mining exploit made the cpu > 90% and the fans had to do
their job.

So after a quick search, I discovered what it was all about, and some days
later Synology released a nice update that got rid of it.

You can't auto update, that's true, but you can receive email alert for each
new release of the DSM. You can also do that for each package installed. So,
all in all, that good for me: I don't want my NAS to auto update when I'm not
there, as I also usually wait a week or two before updating.

------
ksec
I was just about to post something similar. Although I was lucky not to have
the Cryptolocker or Synolocker.

My syslog shows a few people have accessed my NAS this month.

This is worrying.

~~~
baconhigh
Why is it open to the internet?

Don't do that.

You say it was "behind your router" but I think you've specifically opened
ports to your NAS (or you have some sort of NAT and the NAS has done it)

Restrict access (if you _must_ open it to the internet, open to only specific
IP addresses) or better yet disable it, and use an ssh port-forward if you
really have to get to it.

~~~
macNchz
I don't have any Synology products, but I have a few things on my home network
that I like having access to remotely, and my solution has been to put a
Raspberry Pi running dyndns and OpenVPN between my home network and the open
internet. This way I only need to make sure the Pi is up to date and that
OpenVPN is configured and hardened properly, and my potential attack surface
area doesn't change no matter how many things I add to my network that I want
to access remotely.

------
jontro
It would be very interesting to know how this happened, I guess this is the
downside of using wide spread products.

~~~
elorant
Usually these types of machines have a web interface so that you can connect
to your backups remotely. Once you plug it into a router or a home network it
sits there waiting for someone to log-in. And as the saying goes, anything
that’s connected to the Internet will eventually be hacked. Either it was
misconfigured or there is an exploit in the wild.

------
hjuutilainen
One forum post mentions this too:
[http://forum.synology.com/enu/viewtopic.php?f=3&t=88716](http://forum.synology.com/enu/viewtopic.php?f=3&t=88716)

------
foxhedgehog
I've have my synology hooked up to the net and have seen a LOT of attempts in
the past few weeks to log into root / sh from what looks to be Chinese IPs.

~~~
cpncrunch
This is pretty normal for ANY device connected to the internet. I configure
all my servers (including my synology box) to only allow ssh logins from
certain IP addresses.

~~~
walshemj
I had sever running on a bare ip on AWS address that was never publicised and
only ran ssh and a custom node.js server I saw tones of dodgy attempts from
Russian and Chinese ip.

------
voltagex_
Just a warning, watch which Twitter accounts you click on in that stream -
some very graphic Gaza/Syria imagery in there.

------
junto
As a first response, stop the port forwarding on your router.

Then wait for more info from Synology. I generally don't connect mine to the
internet (inbound). I don't like the risks involved.

------
atmosx
I wonder how many tech-savvy users have a complete reporting firewall,
controlling in/out connections at home as opposed to a router with a custom
password attached online.

~~~
chrishas35
I've been pondering the idea of a more feature rich router/firewall device for
my home connection. Something that would do like you say report, log, audit,
etc. Any suggestions for specific model or models to look at?

~~~
PhantomGremlin
I happily run OpenBSD as my firewall. It's developed by competent people who
care about what they are doing and who take pride in their work. But it's
general purpose Unix, it's not just a firewall or router.

Which means that it's more work to administer than something developed as a
dedicated router or firewall.

Also I'm running on a generic x86 computer. I pay about $1/yr per watt drawn
24x7, which means my firewall costs me about $80/yr just in electricity. A
smaller "appliance" type firewall would certainly have much lower operating
costs.

Sorry I don't have any suggestions more tailored to your request. I'm just
letting you know what works for me.

~~~
voltagex_
Wow, what's your price per kWH and what (rough) location?

~~~
me1010
8760 hours = 1 year

So...

a 1 Watt device running 24x7 = 8.760 kWh

billed at about $0.40/kWh [includes both generation and delivery and normal
for NE USA - ain't deregulation great?!] ~ $3.50 per year.

In order to get to $1.00, total cost per kWh must be about $0.114 ...

~~~
voltagex_
Thanks, turns out I've had the wrong maths for this in my head for years!

------
vomitcuddle
I'm guessing this only affects you if you have their EZ-Internet service
enabled that exposes the NAS to the public internet. Or if you exposed it
yourself on your firewall.

I've had a Synology NAS for almost a year now. I really like the UI, but the
software stack they're using under the hood (Apache, PHP, MySQL, etc.) has a
massive attack surface, if not routinely kept up-to-date.

Here's an nmap trace from my Synology DiskStation: amber@leysritt ~ % nmap -A
<redacted>

    
    
      Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-03 23:06 BST
      Nmap scan report for <redacted>
      Host is up (0.011s latency).
      Not shown: 987 closed ports
      PORT     STATE SERVICE     VERSION
      22/tcp   open  ssh         OpenSSH 5.8p1-hpn13v11 (protocol 2.0)
      | ssh-hostkey:
      |   1024 <redacted> (DSA)
      |   2048 <redacted> (RSA)
      |_  256 <redacted>  (ECDSA)
      80/tcp   open  http        Apache httpd
      |_http-generator: ERROR: Script execution failed (use -d to debug)
      |_http-methods: No Allow or Public header in OPTIONS response (status code 301)
      |_http-title: Did not follow redirect to http://<redacted>:5000/
      111/tcp  open  rpcbind     2-4 (RPC #100000)
      | rpcinfo:
      |   program version   port/proto  service
      |   100000  2,3,4        111/tcp  rpcbind
      |   100000  2,3,4        111/udp  rpcbind
      |   100003  2,3         2049/udp  nfs
      |   100003  2,3,4       2049/tcp  nfs
      |   100005  1,2,3        892/tcp  mountd
      |   100005  1,2,3        892/udp  mountd
      |   100021  1,3,4      33154/tcp  nlockmgr
      |   100021  1,3,4      38187/udp  nlockmgr
      |   100024  1          44039/tcp  status
      |_  100024  1          53309/udp  status
      139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
      161/tcp  open  snmp?
      445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
      515/tcp  open  printer
      548/tcp  open  afp         Netatalk 2.2.3 (name: redacted; protocol 3.3)
      | afp-serverinfo:
      |   | Server Flags: 0x8f79
      |   |   Super Client: Yes
      |   |   UUIDs: Yes
      |   |   UTF8 Server Name: Yes
      |   |   Open Directory: Yes
      |   |   Reconnect: No
      |   |   Server Notifications: Yes
      |   |   TCP/IP: Yes
      |   |   Server Signature: Yes
      |   |   ServerMessages: Yes
      |   |   Password Saving Prohibited: No
      |   |   Password Changing: No
      |   |_  Copy File: Yes
      |   Server Name: redacted
      |   Machine Type: Netatalk2.2.3
      |   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
      |   UAMs: Cleartxt Passwrd, No User Authent, DHX2, DHCAST128
      |   Server Signature: redacted
      |   Network Address 1: redacted
      |_  UTF8 Server Name: redacted
      631/tcp  open  ipp         CUPS 1.5
      | http-methods: Potentially risky methods: PUT
      |_See http://nmap.org/nsedoc/scripts/http-methods.html
      |_http-title: Not Found - CUPS v1.5.4
      2049/tcp open  nfs         2-4 (RPC #100003)
      3689/tcp open  daap        mt-daapd DAAP 0.2.4.1
      5000/tcp open  http        Apache httpd
      |_http-generator: ERROR: Script execution failed (use -d to debug)
      |_http-methods: No Allow or Public header in OPTIONS response (status code 302)
      | http-robots.txt: 1 disallowed entry
      |_/
      |_http-title: Did not follow redirect to https://redacted:5001
      5001/tcp open  ssl/http    Apache httpd
      |_http-generator: ERROR: Script execution failed (use -d to debug)
      |_http-methods: No Allow or Public header in OPTIONS response (status code 301)
    
    
      | http-robots.txt: 1 disallowed entry
      |_/
      |_http-title: Did not follow redirect to https://redacted/webman/index.cgi
      | ssl-cert: Subject: commonName=synology.com/organizationName=Synology
      Inc./stateOrProvinceName=Taiwan/countryName=TW
      | Not valid before: REDACTED
      |_Not valid after:  REDACTED
      |_ssl-date: REDACTED
      | tls-nextprotoneg:
      |   spdy/3
      |   spdy/2
      |   http/1.1
      |_  x-mod-spdy/0.9.4.2-465a04f
      Service Info: OS: Unix
    
      Host script results:
      |_nbstat: NetBIOS name: redacted, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
      (unknown)
      | smb-os-discovery:
      |   OS: Unix (Samba 3.6.9)
      |   Computer name: redacted
      |   NetBIOS computer name:
      |   Domain name:
      |   FQDN: redacted
      |_  System time: redacted
      | smb-security-mode:
      |   Account that was used for smb scripts: guest
      |   User-level authentication
      |   SMB Security: Challenge/response passwords supported
      |_  Message signing disabled (dangerous, but default)
      |_smbv2-enabled: Server supports SMBv2 protocol
    
      Service detection performed. Please report any incorrect results at
      http://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 40.47 seconds
    
    

It's sad that most of the open-source NAS solutions are so bad compared to
their commercial counterparts. FreeNAS (and related forks) sacrifice too much
flexibility and don't offer anything that you can't easily do yourself with a
Linux/BSD server distro.

I'd love to work on an open-source, security-oriented, user-friendly DSM
"clone" with the right kind of people. If this sounds like fun or it sounds
like something you're currently working on - shoot me an email:
amber@fastmail.jp

I also wish there was such a thing as a nice, inexpensive ARM board (~$100)
with plenty of SATA ports and upgradable RAM (so you can run huge ZFS pools on
it) that you can install your own OS on...

~~~
NoMoreNicksLeft
I have a dumb question: How are they using ZFS on these? I thought ZFS was
incompatible with GPL, which was a stumbling block for implementing it in
linux. Don't tell me they're using FUSE.

Or do these NAS machines all run some BSD variant?

~~~
yardie
Most of these appliances aren't using ZFS. They are using mdadm with ext4.

------
based2
[http://www.cvedetails.com/vendor/11138/Synology.html](http://www.cvedetails.com/vendor/11138/Synology.html)

~~~
chmars
My favorite Synology vulnerability from the linked list:

'The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1
has a hardcoded root password of synopass, which makes it easier for remote
attackers to obtain access via a VPN session.'

[http://www.cvedetails.com/cve/CVE-2014-2264/](http://www.cvedetails.com/cve/CVE-2014-2264/)

------
mkhalil
I hate to see things like this. I feel horrible for anyone who has to face the
realization that there going to actually have to pay a online-terrorist money
to get their data back.

Here's to hoping this will only make the tech industry invest more into
security, especially for consumer products which are often neglected. Sad that
stuff like this needs to happen, but it's the cost we pay.

------
jarnix
I don't understand how he got hacked. Anyway, there is a service like fail2ban
on the Syno.

------
hjuutilainen
And the plot thickens. Synology acknowledged on Facebook and customers are not
happy:
[https://www.facebook.com/synology/posts/10152343606857897](https://www.facebook.com/synology/posts/10152343606857897)

~~~
eduo
Doesn't this actually un-thicken the plot? :)

------
antr
Wow, I was just about to buy a Synology this coming week and now I have second
thoughts. Now more than ever I'm certain that having _only_ Drobo/Synology is
not a good backup solution, but having a backup of the backup is equally
important.

~~~
the_ancient
1\. Never expose it to the internet... Use a VPN if you have to access from
outside your network. Most home routers support vpn;s so there is no reason
not to

2\. You should always have 3 copies of data, 1 working, 1 local back and 1 geo
diverse backup (i.e a spideroak, crashplan, or even a friends house) Most
people forget the 3rd but what happens if your house burns down?

3\. You should have a completely cold backup of important data, this could be
a external hard drive that is only plugged in when backups are done, DVD's,
Tape Drive, or something else, but what ever it is it should not be accessible
to the system with out manual intervention, this will prevent scripts from
deleting everything.

~~~
Nexxxeh
Why can't your offsite backup also be your offline backup?

~~~
gambiting
We have this problem at our company where the fastest internet our company can
possibly get is 20mbps down/4mbps up - and we make ~20GB of backups each day.
Absolutely impossible for us to upload all of it to a server offsite
overnight.

------
achillean
Looks like there are at least 150 affected devices:
[https://www.shodan.io/search?query=title%3Asynolocker](https://www.shodan.io/search?query=title%3Asynolocker)

------
mschuster91
I'm waiting for this bullshit to appear on ordinary routers...

~~~
mkhalil
They wouldn't really have anything to hold ransom. Router's usually have
hardware reset switches in the back too. Not saying it's not possible, but
little to gain by holding it randsom. If they hacked the router, they'd be
doing the kind of things they WON'T inform you about, like man in the middle
attacks stealing everything from all your user/passwords to
credit/bank/personal info.

~~~
mschuster91
Well, the reset switch usually causes the bootloader to reformat the volatile
partition of the flash.

But there's nothing to stop an attacker from rewriting the "write protected"
areas like e.g. a firmware update does.

Consider that many routers these days come with NAS or MediaServer
functionality... and thus are a valid target for hackers.

Furthermore, they are often directly connected to the Internet, and there have
been _numerous_ remote-root exploits for cheap chinese knock-offs as well as
for highly praised manufacturers like AVM.

~~~
munin
so they hold your router hostage. then what? you buy another one. whatever.

~~~
meowface
Again, the dangerous part isn't holding it hostage, it's what they can do to
it without you noticing. They can intercept all your network traffic, redirect
websites you visit to a server they control, etc.

------
pwelch
I have a Qnap and they are pretty similar to Synology. Wonder if there is a
similar attack against them.

Also curious if this was linked directly to the internet.

~~~
voltagex_
Quite possibly. Run an internal and external nmap scan against your device so
you at least know the attack surface.

------
foxhedgehog
Looks like you gain access to firewall and other security tools if you upgrade
the DSM to the latest version.

------
gadtron
To Recover your Synology NAS Devices Data from SynoLocker Virus Can Call me
at:

+65 9762 7078

------
shALKE
That's why I use a firewall in front of it.

------
NietTim
Holy shit, after seeing these comments I'm never buying synology

~~~
junto
I'm not sure that's entirely fair. No internet device is infallible. Other NAS
vendors have had similar levels of bugs leading to exploits.

QNap [1], FreeNas [2], WDC [3] and Seagate [4] for example all have their own
issues. Added to that, any device that is inscurely configured as default [5]
is going to get hacked.

FreeNas is open source. It has exploits, though notably easier for savvy
customers to dig into why they got hacked in the first place.

The real question here is why people need to expose their NAS drives to the
internet. I personally don't have a fast enough internet connection to make
hosting anything useful. Notably I did try and share my photos with friends
and family, but the upload on my DSL is so dire it was a painful experience
for all involved.

\- [1]
[http://www.cvedetails.com/vendor/10080/Qnap.html](http://www.cvedetails.com/vendor/10080/Qnap.html)
\- [2]
[http://www.cvedetails.com/vendor/9964/Freenas.html](http://www.cvedetails.com/vendor/9964/Freenas.html)
\- [3] [http://www.cvedetails.com/product-
list/vendor_id-12782/WDC.h...](http://www.cvedetails.com/product-
list/vendor_id-12782/WDC.html) \- [4] [http://www.cvedetails.com/product-
list/vendor_id-11967/Seaga...](http://www.cvedetails.com/product-
list/vendor_id-11967/Seagate.html) \- [5]
[http://www.drobospace.com/forums/showthread.php?tid=141894](http://www.drobospace.com/forums/showthread.php?tid=141894)

------
wyred
If a few guys ran a Synology NAS with terabytes of dummy data, let the
ransomware do it's job, rinse and repeat, would we be able to inflict a huge
storage bill on the datanappers? If their storage limit got maxed out, would
it stop the ransomware from working?

~~~
dagw
The ransomware doesn't copy any data off the NAS, it simply encrypts it in
place. When you've paid up, they send you the key to unencrypt your data.

~~~
BozeWolf
"they send you the key"

 _If_ they send the key. If I was a criminal, I would minimise contact with
the victims.

~~~
dagw
I gather that historically at least they almost always send the key. At the
end of the day they're a business like any other and a few bad reviews will
kill their revenue stream. However if they are known to offer fast replies and
support, it's a lot easier to convince people to pay up.

~~~
junto
Seems so ironic:

Bad guys ransom-ware business dependent on good reviews from 'paying
customers' whilst processing support requests for 'license keys' in a timely
manner.

~~~
pistle
"Quick response and delivery. Decrypted as listed in the instructions. Would
do business again! 5-stars! Best hackers on eHack."

