SynoLocker was not the first malware to target a serious software vulnerability in DiskStation software

Could the unprecedented attack on users of Synology’s DiskStation NAS storage drives by ransom malware have been stopped before it occurred? There is an argument that the answer to this question is an emphatic ‘yes’ although the company is unlikely to advertise such hindsight.

The start of the trouble was a security vulnerability, CVE-2013-6955, made public in the US National Vulnerability Database in December 2013 with the top severity rating of ‘10’, which could allow an attacker to bypass security and gain full access to the affected drive’s files.  This affected the Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1, to be precise.

As one of the numerous security flaws found in popular software products, the issue would have gone unnoticed even by security watchers. Unfortunately, it appears that an unknown number of Synology owners also ignored or weren’t aware of the flaw either.

This highlights a big problem - there is no automatic mechanism for updating vulnerable software on this type of device as would be the case on most desktop software. Synology does inform users of updates, warning of vulnerabilities, but the decision to update is necessarily optional.

We now know that Russian criminals noticed the flaw even if Synology’s NAS users didn’t. Meanwhile Synology DiskStation users wouldn’t have anticipated an attack of the sort tried by the creators of SynoLocker because no such attack had (to the best of our knowledge) ever been tried before. The attackers exploited the element of surprise.

An interesting aspect of Synology’s fix when it arrived in February is that is the notification warned of strange behaviour by DiskStation products. To quote from the official release dated 14 February that mentioned high CPU usage on drives:

“CPU resource occupied by processes such as, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names.”

It also warned of other odd symptoms, including page redirection, the appearance of unexpected files and non-Synology scripts under nested paths on the drive.

It turns out that this attack was a Bitcoin (or Dogecoin) miner attempting to exploit the flaws to run currency-generating software but the important point is that Synology drives were being remotely targeted months ago on the back of CVE-2013-6955 and another flaw, CVE-2013-6987.

The attackers were also using other compromised networks devices (such as surveillance PVRs) to search for unpatched NAS boxes vulnerable to the attack - a proof of concept for future attacks surely. That criminals were interested in targeting NAS devices was out in the open.

As for this week’s SynoLocker attack, Synology told Techworld that the number of affected users in the UK, Ireland and Scandinavia is small, perhaps only 25 cases. Of course the victim count will be higher; not everyone will have reported the issue directly to the firm while others might not yet realise they have been affected. No figures have been released yet for the US.

A key point is that it has not yet been confirmed how the attackers are finding and infecting unpatched drives. It could be remotely (Synology DiskStations can be configured for Internet access using EZ-Internet) or via an infected PC, or both. Until we know, estimating victim numbers is hypothetical.

NAS vendors and users need to heed the warning. Update notification should be the default setting while updates themselves should be configured to download automatically.  Users should keep backups of the NAS drives and not assume that the drives are the backup. Personally, I would turn off Internet access to the drive as a precaution.

Most importantly of all, users must assume than any device holding files is at risk of attack from the extortion industry whether it is Internet-facing or not.