Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Blogs

War on Error

John E. Dunn

SynoLocker NAS ransomware - was February 'PWNED' attack a warning of trouble?

Article comments

SynoLocker was not the first malware to target a serious software vulnerability in DiskStation software

SynoLocker was not the first malware to target a serious software vulnerability in DiskStation software

Could the unprecedented attack on users of Synology’s DiskStation NAS storage drives by ransom malware have been stopped before it occurred? There is an argument that the answer to this question is an emphatic ‘yes’ although the company is unlikely to advertise such hindsight.

The start of the trouble was a security vulnerability, CVE-2013-6955, made public in the US National Vulnerability Database in December 2013 with the top severity rating of ‘10’, which could allow an attacker to bypass security and gain full access to the affected drive’s files.  This affected the Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1, to be precise.

As one of the numerous security flaws found in popular software products, the issue would have gone unnoticed even by security watchers. Unfortunately, it appears that an unknown number of Synology owners also ignored or weren’t aware of the flaw either.

This highlights a big problem - there is no automatic mechanism for updating vulnerable software on this type of device as would be the case on most desktop software. Synology does inform users of updates, warning of vulnerabilities, but the decision to update is necessarily optional.

We now know that Russian criminals noticed the flaw even if Synology’s NAS users didn’t. Meanwhile Synology DiskStation users wouldn’t have anticipated an attack of the sort tried by the creators of SynoLocker because no such attack had (to the best of our knowledge) ever been tried before. The attackers exploited the element of surprise.

An interesting aspect of Synology’s fix when it arrived in February is that is the notification warned of strange behaviour by DiskStation products. To quote from the official release dated 14 February that mentioned high CPU usage on drives:

“CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names.”

It also warned of other odd symptoms, including page redirection, the appearance of unexpected files and non-Synology scripts under nested paths on the drive.

It turns out that this attack was a Bitcoin (or Dogecoin) miner attempting to exploit the flaws to run currency-generating software but the important point is that Synology drives were being remotely targeted months ago on the back of CVE-2013-6955 and another flaw, CVE-2013-6987.

The attackers were also using other compromised networks devices (such as surveillance PVRs) to search for unpatched NAS boxes vulnerable to the attack - a proof of concept for future attacks surely. That criminals were interested in targeting NAS devices was out in the open.

As for this week’s SynoLocker attack, Synology told Techworld that the number of affected users in the UK, Ireland and Scandinavia is small, perhaps only 25 cases. Of course the victim count will be higher; not everyone will have reported the issue directly to the firm while others might not yet realise they have been affected. No figures have been released yet for the US.

A key point is that it has not yet been confirmed how the attackers are finding and infecting unpatched drives. It could be remotely (Synology DiskStations can be configured for Internet access using EZ-Internet) or via an infected PC, or both. Until we know, estimating victim numbers is hypothetical.

NAS vendors and users need to heed the warning. Update notification should be the default setting while updates themselves should be configured to download automatically.  Users should keep backups of the NAS drives and not assume that the drives are the backup. Personally, I would turn off Internet access to the drive as a precaution.

Most importantly of all, users must assume than any device holding files is at risk of attack from the extortion industry whether it is Internet-facing or not.


Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *